W32/Murofet-A

Category: Viruses and Spyware Protection available since:01 Oct 2010 18:34:51 (GMT)
Type: Win32 executable file virus Last Updated:01 Oct 2010 18:34:51 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Murofet-A is a virus for the Windows platform.

W32/Murofet-A attempts to download further code from URLs it generates using an algorithm based on the current date and time, verifying the downloaded file before executing it. This technique is reminiscent of the Conficker family of malware.

Sophos has seen evidence that the threat also spreads via payload from exploit kits in addition to infected files.

The URLs contacted are in the following forms:

  - hxxp:// <generated domain> .biz  /forum/
  - hxxp:// <generated domain> .info /forum/
  - hxxp:// <generated domain> .org  /forum/
  - hxxp:// <generated domain> .net  /forum/
  - hxxp:// <generated domain> .com /forum/

At the time of writing, the above URLs were unavailable; however, we had seen cases of the sites hosting malware related to Zbot.

The infection itself modifies the host file and causes it to act as a simple downloader: it will create a thread that will download from a pseudo-random generated domain name.

Detailed analysis

Example behaviors of W32/Murofet-A follow:

Example 1

File Information

Size
19K
SHA-1
5e32a3c2fae62313e609ede57b0e01d768d41fbc
MD5
4c017ac3bba817369cd09e09d45a2e4d
CRC-32
c3fb45fb
File type
application/x-ms-dos-executable
First seen
2010-09-29

Runtime Analysis

HTTP Requests
  • http://zlcssltmlwknnk.com/forum/
  • http://zlcssltmlwknnk.info/forum/
DNS Requests
  • zlcssltmlwknnk.com
  • zlcssltmlwknnk.info

Example 2

File Information

Size
38K
SHA-1
dc2a5b30259e2bc6509ab1e4f143e0eda11cd361
MD5
4a0ef450e8b2678787d1ff7c5cfed7ae
CRC-32
47a8a663
File type
application/x-ms-dos-executable
First seen
2010-09-30

Example 3

File Information

Size
20K
SHA-1
4e42db8486e1d24758fe31619869a7b46a7cfe06
MD5
531e84b0894a7496479d186712acd7d2
CRC-32
daf84aa4
File type
application/x-ms-dos-executable
First seen
2010-09-30

Runtime Analysis

HTTP Requests
  • http://kvovtsxogyqyvro.net/forum/
  • http://zlcssltmlwknnk.com/forum/
  • http://zlcssltmlwknnk.info/forum/
DNS Requests
  • kvovtsxogyqyvro.net
  • zlcssltmlwknnk.com
  • zlcssltmlwknnk.info

download Try Sophos products for free
Download now