Win32/Moure [Threat Name] go to Threat
Win32/Moure.A [Threat Variant Name]
| Category | trojan |
| Size | 30208 B |
| Detection created | May 11, 2013 |
| Detection database version | 8320 |
| Aliases | Trojan-Dropper.Win32.Dapato.cdqu (Kaspersky) |
Short description
Win32/Moure.A is a trojan that blocks access to the Windows operating system.
Installation
When executed, the trojan copies itself into the following location:
- %currentfolder%\%originalfilename%.dll
The trojan creates the following files:
- %localappdata%\2433f433
- %commonappdata%\2433f433
- %templates%\2433f433
- %appdata%\2433f433
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "qcgce2mrvjq91kk1e7pnbb19m52fx" = "%currentfolder%\%originalfilename%.exe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Command Processor]
- "AutoRun" ="%currentfolder%\%originalfilename%.exe"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Shell" = "cmd.exe"
- [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
- "{%randomclsid%}"
- [HKEY_CURRENT_USER\Software\Classes\*\shellex\ContextMenuHandlers]
- "{%randomclsid%}"
The trojan may set the following Registry entries:
- [HKEY_CLASSES_ROOT\CLSID\{%randomclsid%}\InProcServer32]
- "(Default)" = "%currentfolder%\%originalfilename%.dll"
- "ThreadingModel" = "Apartment"
- [HKEY_CLASSES_ROOT\CLSID\{%stolenclsid%}\InProcServer32]
- "(Default)" = "%currentfolder%\%originalfilename%.dll"
- "ThreadingModel" = "Apartment"
If that fails, the following entries are set instead:
- [HKEY_CURRENT_USER\Software\Classes\CLSID\{%randomclsid%}\InProcServer32]
- "(Default)" = "%currentfolder%\%originalfilename%.dll"
- [HKEY_CURRENT_USER\Software\Classes\CLSID\{%stolenclsid%}\InProcServer32]
- "(Default)" = %currentfolder%\%originalfilename%.dll"
- "ThreadingModel" = "Apartment"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{%randomclsid%}\InProcServer32]
- "(Default)" = "%currentfolder%\%originalfilename%.dll"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{%stolenclsid%}\InProcServer32]
- "(Default)" = %currentfolder%\%originalfilename%.dll"
- "ThreadingModel" = "Apartment"
A string with variable content is used instead of %randomclsid% .
Instead of %stolenclsid% , the value(s) are taken from the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers]
Other information
Win32/Moure.A is a trojan that blocks access to the Windows operating system.
To regain access to the operating system the user is asked to send information/certain amount of money via the PaySafeCard, Ukash payment service.
The trojan can create and run a new thread with its own program code within the following processes:
- svchost.exe
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (10) URLs. The HTTP protocol is used.
It may perform the following actions:
- capture webcam picture
- remove itself from the infected computer
The trojan can terminate the following processes:
- cmd.exe
- taskmgr.exe
- MSASCui.exe
- MpCmdRun.exe
- MsMpEng.exe
- NisSrv.exe
- msseces.exe
- wscntfy.exe
The following services are disabled:
- wuauserv
- wscsvc
- WinDefend
- MsMpSvc
The trojan may perform operating system restart.