August 25, 2014
Trojan.Mayachok.18831 is a malicious program distributed mainly via mass mailings. Like other Trojans of this family, Trojan.Mayachok.18831 is designed to inject arbitrary content into web pages loaded in browser windows, but unlike its predecessors Trojan.Mayachok.18831 can also display ads on top of visited websites and replace the content of profiles on social networking sites. The Trojan can also take screenshots of an infected computer and send them to the criminals.
Once launched on an infected machine, the Trojan checks whether its copy is already present in the system and, if so, stops functioning. Then it tries to detect the running processes of virtual machines or popular anti-virus software: cpf.exe, MsMpEng.exe, msseces.exe, avp.exe, dwengine.exe, ekrn.exe, AvastSvc.exe, avgnt.exe, avgrsx.exe, ccsvchst.exe, Mcshield.exe, bdagent.exe, uiSeAgnt.exe, vmtoolsd.exe, vmacthlp.exe, vpcmap.exe, vmsrvc.exe, vmusrvc.exe, and VBoxService.exe.
The Trojan refers to the registry branch HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders to get access to the current user's folder. It then tries to read its configuration file from this folder; if unsuccessful, the Trojan uses the settings stored in its body. The Trojan can download from the Internet other Trojan programs, for example Trojan.LoadMoney.15.
Trojan.Mayachok.18831 generates a second configuration file which contains information about the infected computer. The data is encrypted by a TEA-like algorithm, encoded in Base64 and sent to the server by POST request. The server connection is established either using the functions socket() and connect(), or using wininet.dll library functions. The ID of the infected computer is made up of a string identifier of the first disk and the MAC address of the network card. From this string, the Trojan calculates the MD5 value using the functions of Windows CryptoAPI. The obtained value in the form of a HEX string is used by the Trojan as a unique identifier..
In a 32-bit operating system, the Trojan launches the explorer.exe process and, by using the tool NtQueueApcThread, embeds itself in the OS. Executed in explorer.exe, the code removes the Trojan file and then looks through the running processes. Trojan.Mayachok.18831 searches for the following processes: amigo.exe, explorer.exe, iexplore.exe, chrome.exe, firefox.exe, opera.exe, browser.exe, and minerd.exe. For each process, the Trojan runs the injection code, within which it checks the process’s name. If the Trojan imbeds itself into explorer.exe, three threads carrying payloads are launched; if other processes are included, a routine starts to intercept the API.
In a 64-bit OS, the Trojan checks the path to its executable file. If the Trojan is launched from %MYDOCUMENTS%\CommonData\winhlp31.exe, Trojan.Mayachok.18831 launches three threads, each carrying a payload. The first thread installs the Trojan in the system and registers it in the startup. The second one waits for the self-removal flag to be installed. If such a flag is installed, the Trojan removes it. The third thread deletes the cookies of different browsers, using the sqlite3.dll library, and requests configuration data from the remote server. The Trojan intercepts WinAPI as well as specific browser features to add arbitrary content into web pages using web injections.
The main purpose of Trojan.Mayachok.18831 is to display ads in the browser's windows:
In addition, the Trojan can replace the content of a user's profile on social networking sites by posting obscene texts and images. When the victim tries to edit the profile, the Trojan solicits payment for this service by signing the victim up for a paid subscription:
The Trojan also modifies the form used to register for the paid subscription (this form is generated by the mobile operator's site) in order to hide important information from the user:
After filling out the form, the victim receives an SMS with the following text:
Enter the code **** to subscribe to "http://onlinesoftzone.org". Cost: 20.00 rubles per day, VAT included
To prevent Trojan.Mayachok.18831 from infecting a system, Doctor Web recommends using state-of-the-art anti-virus software and not running applications received in dubious e-mail attachments.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.