Win32/Moure [Threat Name] go to Threat

Win32/Moure.A [Threat Variant Name]

Category trojan
Size 30208 B
Detection created May 11, 2013
Detection database version 8320
Aliases Trojan-Dropper.Win32.Dapato.cdqu (Kaspersky)
Short description

Win32/Moure.A is a trojan that blocks access to the Windows operating system.

Installation

When executed, the trojan copies itself into the following location:

  • %currentfolder%\­%originalfilename%.dll

The trojan creates the following files:

  • %localappdata%\­2433f433
  • %commonappdata%\­2433f433
  • %templates%\­2433f433
  • %appdata%\­2433f433

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "qcgce2mrvjq91kk1e7pnbb19m52fx" = "%currentfolder%\­%originalfilename%.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Command Processor]
    • "AutoRun" ="%currentfolder%\­%originalfilename%.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "cmd.exe"
  • [HKEY_CLASSES_ROOT\­*\­shellex\­ContextMenuHandlers]
    • "{%randomclsid%}"
  • [HKEY_CURRENT_USER\­Software\­Classes\­*\­shellex\­ContextMenuHandlers]
    • "{%randomclsid%}"

The trojan may set the following Registry entries:

  • [HKEY_CLASSES_ROOT\­CLSID\­{%randomclsid%}\­InProcServer32]
    • "(Default)" = "%currentfolder%\­%originalfilename%.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOT\­CLSID\­{%stolenclsid%}\­InProcServer32]
    • "(Default)" =  "%currentfolder%\­%originalfilename%.dll"
    • "ThreadingModel" = "Apartment"

If that fails, the following entries are set instead:

  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{%randomclsid%}\­InProcServer32]
    • "(Default)" = "%currentfolder%\­%originalfilename%.dll"
  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{%stolenclsid%}\­InProcServer32]
    • "(Default)" =  %currentfolder%\­%originalfilename%.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{%randomclsid%}\­InProcServer32]
    • "(Default)" = "%currentfolder%\­%originalfilename%.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{%stolenclsid%}\­InProcServer32]
    • "(Default)" =  %currentfolder%\­%originalfilename%.dll"
    • "ThreadingModel" = "Apartment"

A string with variable content is used instead of %randomclsid% .


Instead of %stolenclsid% , the value(s) are taken from the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­ShellIconOverlayIdentifiers]
Other information

Win32/Moure.A is a trojan that blocks access to the Windows operating system.

To regain access to the operating system the user is asked to send information/certain amount of money via the PaySafeCard, Ukash payment service.


The trojan can create and run a new thread with its own program code within the following processes:

  • svchost.exe

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (10) URLs. The HTTP protocol is used.


It may perform the following actions:

  • capture webcam picture
  • remove itself from the infected computer

The trojan can terminate the following processes:

  • cmd.exe
  • taskmgr.exe
  • MSASCui.exe
  • MpCmdRun.exe
  • MsMpEng.exe
  • NisSrv.exe
  • msseces.exe
  • wscntfy.exe

The following services are disabled:

  • wuauserv
  • wscsvc
  • WinDefend
  • MsMpSvc

The trojan may perform operating system restart.

Please enable Javascript to ensure correct displaying of this content and refresh this page.