F-Secure
Tools
Trojan-Downloader:W32/MyDrill.A
| Name : | Trojan-Downloader:W32/MyDrill.A |
| Size: | 130,708 |
| Category: | Malware |
| Type: | Trojan-Downloader |
| Platform: | Win32 |
| Date of Discovery: | November 22, 2007 |
Summary
MyDrill.A is detection for files used as part of a Malaysian Cyber Security Drill that took place during 2007.
MyDrill.A are harmless test files. Detection was added for the purpose of the drill.
MyDrill.A are harmless test files. Detection was added for the purpose of the drill.
Additional Details
On execution this trojan will download a second trojan file from:
It is saved as C:\malware.html and then later renamed and executed as C:\malware2.exe. The second trojan is also detected as
Trojan-Downloader:W32/MyDrill.A.
It will then create a copy of itself in the Window's System directory, usually C:\Windows\System32.
It will then Show the following Message Box:
It then creates an autostart registry entry for the downloaded Trojan in:
It also monitors the following active analyst tools and applications and shows a message box as an alert:
Example:
It then exits whenever one of the said tools are detected as running.
With an additional anti-debugging check compared to the first trojan, the downloaded file when executed then downloads a third trojan from:
The download is saved as C:\malware.html and then later renamed and executed as C:\malware3.exe.
The third trojan is also detected as Trojan-Downloader:W32/MyDrill.A.
It then copies itself to the Window's System directory as malware3.exe showing the same message box for notification.
An autostart entry in the registry is then created for itself as:
As the first trojan , this file then monitors active analysis tools and exits if it detects any, also showing similar message box as notification.
The third trojan then downloads a none malicious file done.html from:
Similar to the first two trojans with the exception of the additional anti-debugging routines, this file then creates a autostart registry entry:
It then actively monitors running analysis tools.
It then displays the message box:
• http://202.190[REMOVED]/gaga/2malware.html
It is saved as C:\malware.html and then later renamed and executed as C:\malware2.exe. The second trojan is also detected as
Trojan-Downloader:W32/MyDrill.A.
It will then create a copy of itself in the Window's System directory, usually C:\Windows\System32.
It will then Show the following Message Box:
It then creates an autostart registry entry for the downloaded Trojan in:
• HKLM\Software\Microsoft\Windows\Currentversion\Run
myDrill07_hi_analyst = %System%\malware2.exe
myDrill07_hi_analyst = %System%\malware2.exe
It also monitors the following active analyst tools and applications and shows a message box as an alert:
• Command Prompt
• Ethereal / WireShark
• Olly Debug
• Process Explorer
• Registry Editor
• RegShot
• Windows Task Manager
• WordPad
• ZoneAlarm
Example:
It then exits whenever one of the said tools are detected as running.
With an additional anti-debugging check compared to the first trojan, the downloaded file when executed then downloads a third trojan from:
• http://202.190[REMOVED]/gaga/3-malware.html
The download is saved as C:\malware.html and then later renamed and executed as C:\malware3.exe.
The third trojan is also detected as Trojan-Downloader:W32/MyDrill.A.
It then copies itself to the Window's System directory as malware3.exe showing the same message box for notification.
An autostart entry in the registry is then created for itself as:
• HKLM\Software\Microsoft\Windows\Currentversion\Run
myDrill07_hi_analyst = %System%\malware3.exe
myDrill07_hi_analyst = %System%\malware3.exe
As the first trojan , this file then monitors active analysis tools and exits if it detects any, also showing similar message box as notification.
The third trojan then downloads a none malicious file done.html from:
• http://202.190[REMOVED]/gaga/done.html
Similar to the first two trojans with the exception of the additional anti-debugging routines, this file then creates a autostart registry entry:
• HKLM\Software\Microsoft\Windows\Currentversion\Run
myDrill07_hi_analyst = %System%\malware3.exe
myDrill07_hi_analyst = %System%\malware3.exe
It then actively monitors running analysis tools.
It then displays the message box: