Malware Trojan.Mayachok

Posted: September 5, 2012 in Encyclopedia viruses, Vulnerability News
Tags: , , , , ,

Virus Alert

The company “Doctor Web” – a Russian developer of IT security – informs spreading the modification of the Trojan family Trojan.Mayachok, added to Dr.Web virus database named Trojan.Mayachok.17516. Despite the fact that this threat has a certain similarity to the widespread Trojan Trojan.Mayachok.1, in its architecture and identified a number of significant differences.

Trojan.Mayachok.17516 is a shared library that is installed with the operating system using a dropper, which, being an executable, in general, decrypts and copies the library to disk. If your operating system is enabled UAC (User Accounts Control, UAC), dropper copies itself to a temporary folder named flash_player_update_1_12.exe and launched for execution.

In the case of the successful launch the executable file the Trojan decrypts the library containing and stores it in one of the system folder with a random name. There are versions of libraries for both 32-bit and 64-bit versions of Windows. Then dropper library records in the registry and restart the computer.

Trojan Mayachok

Malicious library tries to fit into the other processes with registration in registry key AppInit_DLLs, in this case, unlike Trojan.Mayachok.1, Trojan.Mayachok.17516 “can” work not only in the context of browsers, but also in the processes svchost.exe and explorer.exe (Windows Explorer Windows). It is noteworthy that in 64-bit systems, a malicious program is only in these two processes. Trojan uses for its work encrypted configuration file that it stores or to a temporary folder, or in the service folder% appdata%.

Trojan.Mayachok.17516 basic functions are to download and run executable files, sniff network browser features. With the use of the process explorer.exe Trojan.Mayachok.17516 covertly activate the browser and make ‘cheat’ attendance of some online resources. Infected svchost.exe process is responsible for communication with the remote command server, as well as for downloading configuration files and updates. Attackers, in turn, passed the information about the infected computer, including the operating system, the details of installed browsers, etc. The signature of this threat is added to the base of antivirus software Dr.Web.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s