Virus:TR/Drop.Mario.97280
Date discovered:03/11/2009
Type:Trojan
Subtype:Dropper
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:97.280 Bytes
MD5 checksum:03630b362e33623d60ce7a89fb86a3f4
IVDF version:7.01.06.185 - Tuesday, November 3, 2009

 General Aliases:
   •  Sophos: W32/MarioF-O
   •  Panda: W32/MarioF.Y.worm
   •  Eset: Win32/Pinit.Q
   •  Bitdefender: Worm.Generic.55296


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\azton.mt



It overwrites a file.
%SYSDIR%\dllcache\user32.dll



It deletes the following files:
   • %SYSDIR%\user32.dll
   • %SYSDIR%\huscfxdx



The following files are created:

%SYSDIR%\wvwk
%SYSDIR%\fe3.wa
%SYSDIR%\ewf3.pxf
%SYSDIR%\nvtpm32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Pinit.DJ

%SYSDIR%\user32.dll



It tries to download some files:

– The locations are the following:
   • http://b.albansheih.com/tpsa/gate/**********
   • http://213.155.7.248/tpsa/gate/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://213.155.7.248/tpsa/gate/**********
At the time of writing this file was not online for further investigation.

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\9]
   • "31897356954C2CD3D41B221E3F24F99BBA"=dword:0x055f9c6f
   • "31AC70412E939D72A9234CDEBB1AF5867B"="nqrckqqlqdrqrirprhqoqrqdqpoinfnhmjmqrjrjlmmdmprmqgnomp"
   • "31C2E1E4D78E6A11B88DFA803456A1FFA5"=dword:0x00000000

– [HKLM\SOFTWARE\1]
   • "31897356954C2CD3D41B221E3F24F99BBA"=dword:0x025c00b3
   • "31AC70412E939D72A9234CDEBB1AF5867B"="efipdhioiijnjpjcjmidigigimgfgkgkhkhfcojedpejfgeejiikfjfcer"
   • "31C2E1E4D78E6A11B88DFA803456A1FFA5"=dword:0x00000000



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
   New value:
   • "MID"="11F47EBD68DD41C68472E07001A5569559799C00B1B64745878B3650EB8E7E09"

– [HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server]
   New value:
   • "fDenyTSConnections"=dword:0x00000000

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   New value:
   • "pmpInit_Dlls"="nvtpm32"

– [HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\
   Licensing Core]
   New value:
   • "EnableConcurrentSessions"=dword:0x00000001

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Tuesday, March 2, 2010
Description updated by Petre Galan on Wednesday, March 3, 2010

Back . . . .