Trojan:Win32/Mesoum.A is a trojan that collects information from an affected system and downloads files from remote sites. The trojan masquerades as msxml1.dll or mstsc.dll libraries, and minor variants have been distributed as polymorphically-encrypted DLLs.
Installation
When loaded, the trojan browses the kernel32 image in order to find the following three initial API functions:
- VirtualProtect
- LoadLibraryA
- GetProcAddress
The trojan loads all required libraries and finds the addresses of the rest of the API calls it requires using these calls.
In order to prevent multiple installations of itself, the trojan creates the following mutex:
- DnsMonitor_GlobalStartMutex
Mesoum.A checks if it has been loaded from the System folder and if not, quits.
The decryption process reveals one function which the trojan exports for external use. The function name is ‘FindDir’ and it expects one argument – a file name. When provided with a valid file name, the trojan promptly deletes that file.
Mesoum.A looks for files matching *esl.dll and deletes any files found. Next, the trojan looks for files matching ms*as.dll and it attempts to delete these too. However, this action fails due to a bug in the malware's code. Then, it looks for the files matching *dat.dll and deletes any files found.
The trojan attempts to copy the file <system folder>\nt.dll to a new file in the <system folder> with a partially randomly generated name using the pattern w*nt.dll (e.g. wzhunnt.dll) but due to a bug this always fails. Then, the trojan copies the file <system folder>\msdtc.exe to <system folder>\w*nt.dll, and randomly modifies the destination file. Then it check the time stamp of the original msdtc.exe and sets the same time for the new w*nt.dll.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Mesoum.A copies the file <system folder>\wsock32.dll to the file: <system folder>\mssock<rnd>.dll (e.g. mssockni.dll), then truncates it to 20,480 bytes and sets its time stamp to a value matching that of the library user32.dll.
Payload
Gathers System Information
Mesoum.A gathers information about the affected system, its resources and its security applications.
Mesoum.A checks the OS Version. Then it enumerates and collects all LAN adapter numbers. It also gathers information about all physical drives (including SCSII devices).
The trojans checks for particular security applications by checking the following registry entries and their DisplayName values:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248E093-5288-4CA9-B3AB-11A675FEA1F9}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35C03C04-3F1F-42C2-A989-A757EE691F65}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75193929-9A52-4CA4-98DE-8C7296940920}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NOD32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RisingKaKa
Mesoum.A enumerates all currently running processes and gathers information about the following:
avp.exe
runiep.exe
360tray.exe
ekrn.exe
egui.exe
nod32krn.exe
nvsvc32.exe
MPMon.exe
MPSVC.exe
MPSVC1.exe
MPSVC2.exe
ccApp.exe
ccSetMgr.exe
ccEvtMgr.exe
Rtvscan.exe
vptray.exe,
Rtvscan.exe
vptray.exe
mcshield.exe
mctray.exe
RavMon.exe,
RavMonD.exe
Ravtask.exe
Ccenter.exe
RsAgnet.exe
RavCopy.exe
kwatch.exe
kpfwsvc.exe
kmailmon.exe
kissvc.exe
kavstart.exe
kvmonxp.exe
kvsrvxp.exe
Contacts External Sites
Mesoum.A carries an encrypted list of web domains, and periodically it attempts to resolve their names to their addresses. The trojan runs DNS queries for the following domains:
www.msofficeupdate.com
www.msmessengers.com
www.oeupdate.com
www.msofficeupdate.net
www.msmessengers.net
www.oeupdate.net
www.msofficeliveupdates.com
www.ieliveupdates.com
www.qqupdates.com
www.ieupdates.net
www.msmliveupdates.com
www.ieliveupdates.net
www.qqupdates.net
www.adobeliveupdates.net
www.msmsnliveupdates.net
If successful (when two selected domain names resolve to two different IP addresses) the trojan contacts both domains and attempts to download files from them. Apart from IP addresses, which are obtained from a DNS server, URLs are constructed from randomly selected predefined components encrypted within the trojan. For example, a requested file might be called:
www.adobeliveupdates.net /bbs/v3VqlDUu/b8BvoYhZVIuV.asp
or
www•msmsnliveupdates•net/images/ v3VqlDUu/b8BvoYhZVIuV.gif
One list of possible directory names includes:
html
cgi
Script
bbs
Whereas file name extensions are selected from this list:
html
htm
cgi
php
jsp
asp
aspx
In another option, the directory names are selected from this list:
images
web
bbs
news
Pictures
and the file extensions from this list:
gif
jpg
bmp
pic
Analysis by Jakub Kaminski