Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Matsnu.A.75
Date discovered:26/08/2012
Type:Trojan
In the wild:No
Reported Infections:Medium to high
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:65.536 Bytes
MD5 checksum:B80FCBA4B91876363A2977DAA472A143
VDF version:7.11.40.252 - Sunday, August 26, 2012
IVDF version:7.11.40.252 - Sunday, August 26, 2012

 General Method of propagation:
   • Email


Aliases:
   •  Kaspersky: Trojan.Win32.Agentb.adm
   •  Bitdefender: Trojan.Generic.KDV.708823
   •  Eset: Win32/Trustezeb.C
   •  DrWeb: Trojan.DownLoader6.48319


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %TEMPDIR%\%random character string%.pre
   • %APPDATA%\%random character string%\%random character string%.exe



It deletes the initially executed copy of itself.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%APPDATA%\%random character string%\%random character string%.exe"

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


Email design:
 


Subject: Zweite Abmahnung %current date%
Body:
   • Guten Tag %email account's user name%,
     
     in unserem Brief vom %date% wurden Sie bereits gemahnt, weil die nicht bezahlte Forderung von 9895,39 Euro von Ihnen noch nicht bezahlt wurde.
     Wir fordern Sie erneut, Ihrer nicht beglichene Forderung zu begleichen.
     
     Wir müssen Ihnen die Kosten von 14,00 Euro darüber hinaus zu der noch offenen Forderung als Mahngebühr in Rechnung stellen.
     Wir bitten Sie, den offenen Betrag bis zum %current date% auf das angegebene Konto zu übersenden.
     
     Überweisungsschein und Artikel Liste sind in dem angefügten Schreiben.
     
     Mit besten Grüßen
     
     LorenzShop GmbH Keiserslauter
     (Mo-Fr 9.00 bis 18.00 Uhr, Sa 9.00 bis 16.00 Uhr)
     Leiter: Timm Friedrich
     Steuer-Nummer: DE303736944
     
Attachment:
   • Abmahnung %email account's user name%.zip

The attachment is an archive containing a copy of the malware itself.

 Backdoor Contact server:
The following:
   • http://seneesamj.com/ld/a.**********

As a result it may send information and remote control could be provided.

Remote control capabilities:
    • Download file

 Injection – It injects itself into a process.

    All of the following processes:
   • %WINDIR%\explorer.exe
   • %SYSDIR%\svchost.exe
   • %SYSDIR%\ctfmon.exe


 File details Programming language:
The malware program was written in Borland C++.

Description inserted by Tudor Ciochina on Wednesday, August 29, 2012
Description updated by Tudor Ciochina on Thursday, August 30, 2012

Back . . . .