Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Trojan-Downloader:W32/MyDrill.A
[Summary] | [Detailed Description]

Name : Trojan-Downloader:W32/MyDrill.A
Size:130,708
Type:Trojan-Downloader
Category:Malware
Platform:Win32
Date of Discovery:November 22, 2007
Radar

Summary
MyDrill.A is detection for files used as part of a Malaysian Cyber Security Drill that took place during 2007.

MyDrill.A are harmless test files. Detection was added for the purpose of the drill.
Back to the Top

Detailed Description
On execution this trojan will download a second trojan file from:

  • http://202.190[REMOVED]/gaga/2malware.html

It is saved as C:\malware.html and then later renamed and executed as C:\malware2.exe. The second trojan is also detected as
Trojan-Downloader:W32/MyDrill.A.

It will then create a copy of itself in the Window's System directory, usually C:\Windows\System32.

It will then Show the following Message Box:



It then creates an autostart registry entry for the downloaded Trojan in:

  • HKLM\Software\Microsoft\Windows\Currentversion\Run
    myDrill07_hi_analyst = %System%\malware2.exe

It also monitors the following active analyst tools and applications and shows a message box as an alert:

  • Command Prompt
  • Ethereal / WireShark
  • Olly Debug
  • Process Explorer
  • Registry Editor
  • RegShot
  • Windows Task Manager
  • WordPad
  • ZoneAlarm

Example:



It then exits whenever one of the said tools are detected as running.

With an additional anti-debugging check compared to the first trojan, the downloaded file when executed then downloads a third trojan from:

  • http://202.190[REMOVED]/gaga/3-malware.html

The download is saved as C:\malware.html and then later renamed and executed as C:\malware3.exe.

The third trojan is also detected as Trojan-Downloader:W32/MyDrill.A.

It then copies itself to the Window's System directory as malware3.exe showing the same message box for notification.
An autostart entry in the registry is then created for itself as:

  • HKLM\Software\Microsoft\Windows\Currentversion\Run
    myDrill07_hi_analyst = %System%\malware3.exe

As the first trojan , this file then monitors active analysis tools and exits if it detects any, also showing similar message box as notification.

The third trojan then downloads a none malicious file done.html from:

  • http://202.190[REMOVED]/gaga/done.html

Similar to the first two trojans with the exception of the additional anti-debugging routines, this file then creates a autostart registry entry:

  • HKLM\Software\Microsoft\Windows\Currentversion\Run
    myDrill07_hi_analyst = %System%\malware3.exe

It then actively monitors running analysis tools.

It then displays the message box:
Back to the Top



F-Secure Corporation

Last Modified: November 22, 2007