Method of Infection
Win32/Matcash's installer drops 2 compressed files to the %Windows% directory:
svchosts.lzma
unsvchosts.lzma
These are decompressed, also to the %Windows% directory, using the following filenames:
svchosts.exe
unsvchosts.exe
The compressed files are then deleted.
Note: '%Windows%' is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
It launches unsvchosts.exe. This checks for previous versions of Matcash and uninstalls them if present. Once unsvchosts.exe has finished running, it is deleted by the installer.
Matcash generates a Class ID for itself based on hardware details from the affected system. Some of these details are read from the following registry values:
HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz
HKLM\HARDWARE\DESCRIPTION\System\SystemBiosDate
HKLM\HARDWARE\DESCRIPTION\System\VideoBiosDate
An example Class ID might be {18AD7F03-09CA-3081-0221-072902003d}.
It then launches svchosts.exe. This creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<Class ID> = " %Program Files Common%\<Class ID>\Update.exe" te-110-12-0000<3 digit number>"
The value of <3 digit number> differs for each variant.
Note: %Program Files Common% is a variable location and refers to the folder that contains components shared across applications. This is only valid for NT-based operating systems. The malware determines the location of the current Program Files Common folder by querying the operating system. A typical location for this folder would be C:\Program Files\Common Files
It also drops two compressed files to the %Program Files Common%\<Class ID> folder. These files may have either of the following pairs of names:
Update.exe.lzma
system.dll.lzma
or
directorexe.lzma
directordll.lzma
These files are decompressed to the same folder using the following filenames:
Update.exe
system.dll
Once this has been completed, the compressed files are deleted, and Update.exe is launched.
svchosts.exe installs itself as a service called "Client IP-IPX" or "COM+ Messages" which is run on system startup. This service checks that the registry entry at
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<Class ID>
is still present. If not, the registry entry will be re-created, and the above files reinstalled.
Matcash uses a mutex of Global\{F9CD854B-2C8B-412f-8F13-B0BF8DDEB229} to ensure only one copy is run at a time.
Some variants also install a further two compressed files to the %CommonFiles%\<Modified Class ID> folder. These files may have either of the following pairs of names:
Bar888.dll.lzma
Uninstall.exe.lzma
or
toolbardll.lzma
UnInstall.lzma
These files are decompressed to the same folder using the following filenames:
Bar888.dll
UnInstall.exe
Note: <Modified Class ID> is the same as <Class ID>, with the first digit replaced with 3. For the above example, these files would be written to the %Program Files Common%/{38AD7F03-09CA-3081-0221-072902003d} directory.
Bar888.dll is intended to be then silently installed as a Browser Helper Object for Internet Explorer with a ProgID of Toolbar.ToolbarObj.1 and a Class ID of {C1B4DEC2-2623-438e-9CA2-C9043AB28508}.
In some variants, such as Matcash.C, this file is corrupt, and the installation fails.
Otherwise, this results in the creation of the following registry entries:
HKLM\Software\Microsoft\Internet Explorer\Toolbar\{C1B4DEC2-2623-438e-9CA2-C9043AB28508}
HKCR\ToolBar.ToolBarObj.1\(Default) = "Bar888"
HKCR\ToolBar.ToolBarObj.1\CLSID\(Default) = "{C1B4DEC2-2623-438e-9CA2-C9043AB28508}"
HKCR\ToolBar.ToolBarObj\(Default) = "Bar888"
HKCR\ToolBar.ToolBarObj\CLSID\(Default) = "{C1B4DEC2-2623-438e-9CA2-C9043AB28508}"
HKCR\ToolBar.ToolBarObj\CurVer\(Default) = "ToolBar.ToolBarObj.1"
HKCR\CLSID\{C1B4DEC2-2623-438e-9CA2-C9043AB28508}\(Default) = "Bar888"
HKCR\CLSID\{C1B4DEC2-2623-438e-9CA2-C9043AB28508}\ProgID\(Default) = "ToolBar.ToolBarObj.1"
HKCR\CLSID\{C1B4DEC2-2623-438e-9CA2-C9043AB28508}\VersionIndependentProgID\(Default) = "ToolBar.ToolBarObj"
HKCR\CLSID\{C1B4DEC2-2623-438e-9CA2-C9043AB28508}\InprocServer32\(Default) = "<shortened pathname of dll>"
HKCR\CLSID\{C1B4DEC2-2623-438e-9CA2-C9043AB28508}\TypeLib\(Default) = "{ED0FB633-C311-4bcd-824A-4D345386BE64}"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1B4DEC2-2623-438e-9CA2-C9043AB28508}
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\(Default) = "Bar888 1.0 Type Library"
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\FLAGS\(Default) = "0"
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0\win32\(Default) = "<shortened pathname of dll>"
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\HELPDIR\(Default) = "<shortened directory of dll>"
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\(Default) = "IToolBarObj"
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid\(Default) = "{00020424-0000-0000-C000-000000000046}"
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid32\(Default) = "{00020424-0000-0000-C000-000000000046}"
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib\(Default) = "{569304BA-83ED-4CFF-AC26-BE3E482F7208}"
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib\Version = "1.0"
For the previous example, <shortened pathname of dll> would be "C:\PROGRA~1\COMMON~1\{38AD7~1\Bar888.dll", and <shortened directory of dll> would be "C:\PROGRA~1\COMMON~1\{38AD7~1\".
The following registry entries are also created for the BHO's uninstaller:
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bar888\DisplayName = "Bar888"
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bar888\UninstallString = "%Program Files Common%\<Modified Class ID>\UnInstall.exe"
Back to top
Payload
Downloads and Executes Arbitrary Files
Matcash periodically sends a number of parameters to a server at dr<number>.mcboo.com, which may respond with further parameters to send at a later time, or with a command to download or launch a particular file.
At the time of publication, values observed for <number> ranged between 31 and 38.
During this procedure, Matcash temporarily saves downloaded files to %Program Files Common%/<Class ID>/request.html.
It also creates registry entries at
HKCU\Software\Classes\CLSID\<ClassID>\Request
HKCU\Software\Classes\CLSID\<ClassID>\Register
HKCU\Software\Classes\CLSID\<ClassID>\Installation
These registry entries contain a number of Base 64 encoded values, some of which are related to the time that the download is attempted. An example of these registry entries might be:
HKCU\Software\Classes\CLSID\{18AD7F03-09CA-3081-0221-072902003d}\Request = "1C759C9A4B91500"
HKCU\Software\Classes\CLSID\{18AD7F03-09CA-3081-0221-072902003d}\Register = "ZmFsc2U="
HKCU\Software\Classes\CLSID\{18AD7F03-09CA-3081-0221-072902003d}\Installation = "MTI4MTY5ODM1NzkwNTQwMDAw"
Should the above download procedure fail, Matcash may instead attempt to download and execute a file from media.matcash.com.
Installs IE Toolbar
In some variants, Bar888.dll is silently installed as a Browser Helper Object which appears to hijack search results. This installation fails for Matcash.C. The toolbar may be uninstalled using UnInstall.exe, which may be found in the same directory as the DLL, or via Add/Remove Programs. The system may need to be rebooted to complete the removal of all components. This uninstaller does not remove any other Matcash components.
Analysis by David Wood
Back to top