MSIL/Pyrrawn [Threat Name] go to Threat

MSIL/Pyrrawn.A [Threat Variant Name]

Category trojan
Size 74240 B
Short description

MSIL/Pyrrawn.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • C:\­Windows\­sys\­warry.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "warr" = "C:\­Windows\­sys\­warry.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Attachments]
    • "SaveZoneInformation" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Associations]
    • "LowRiskFileTypes" = ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;"
Information stealing

The trojan collects the following information:

  • computer name
  • operating system version
  • hardware information
  • external IP address of the network device
  • user location
  • language settings

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • SbieCtrl

The trojan terminates processes with any of the following strings in the name:

  • Wireshark
  • ollydbg
  • fiddler

The trojan attempts to hide its presence if it detects a running process containing one of the following strings in its name:

  • regedit

The following files are dropped:

  • C:\­Windows\­pam.reg
  • C:\­sys\­warryP.exe

The trojan executes the following files:

  • C:\­Windows\­sys\­warry.exe
  • C:\­sys\­warryP.exe

The trojan executes the following commands:

  • cmd.exe /c reg import C:\­Windows\­pam.reg
  • cmd.exe /c %windir%\­System32\­reg.exe ADD HKLM\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System /v EnableLUA /t REG_DWORD /d 0 /f
  • cmd.exe /c %windir%\­System32\­reg.exe ADD HKLM\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run /v warr /t REG_SZ /f /d C:\­Windows\­sys\­warry.exe
  • cmd.exe /C ping 1.1.1.1 -n 1 -w 500 > Nul & Del "%malwarefilepath%"
  • cmd.exe /c shutdown -r -f -t 2
  • cmd.exe /c mkdir C:\­Windows\­sys\­

The trojan acquires data and commands from a remote computer or the Internet.


It may perform the following actions:

  • display a dialog window
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.