Home / malwarePDF  

Trojan-Downloader:W32/MyDrill.A


First posted on 23 November 2007.
Source: SecurityHome

Aliases :

There are no other names known for Trojan-Downloader:W32/MyDrill.A.

Explanation :

MyDrill.A is detection for files used as part of a Malaysian Cyber Security Drill that took place during 2007.

MyDrill.A are harmless test files. Detection was added for the purpose of the drill.

On execution this trojan will download a second trojan file from:


It is saved as C:malware.html and then later renamed and executed as C:malware2.exe. The second trojan is also detected as
Trojan-Downloader:W32/MyDrill.A.

It will then create a copy of itself in the Window's System directory, usually C:WindowsSystem32.

It will then Show the following Message Box:



It then creates an autostart registry entry for the downloaded Trojan in:


It also monitors the following active analyst tools and applications and shows a message box as an alert:


Example:



It then exits whenever one of the said tools are detected as running.

With an additional anti-debugging check compared to the first trojan, the downloaded file when executed then downloads a third trojan from:


The download is saved as C:malware.html and then later renamed and executed as C:malware3.exe.

The third trojan is also detected as Trojan-Downloader:W32/MyDrill.A.

It then copies itself to the Window's System directory as malware3.exe showing the same message box for notification.
An autostart entry in the registry is then created for itself as:


As the first trojan , this file then monitors active analysis tools and exits if it detects any, also showing similar message box as notification.

The third trojan then downloads a none malicious file done.html from:


Similar to the first two trojans with the exception of the additional anti-debugging routines, this file then creates a autostart registry entry:


It then actively monitors running analysis tools.

It then displays the message box:

Last update 23 November 2007

 

TOP

Malware :

Family: