Today the super topic on cryptpro to discuss about Trojan turla.
Turla is one of the most recent malware that has been dis
Turla was first discovered in January 13th of 2014. It was last updated on August 8th of 2014.
Almost all windows systems got effected which are running windows 2000, windows 7, windows 95, windows 98, windows Me, windows NT, windows server 2003, windows server 2008, windows xp
How it works at the backend?
When the Trojan is executed it creates several files and these details are about the windows systems. Now recently this Trojan also targeted linux systems. In my next article I am going to say about that.
The following registry entries will be taken place
HKEY_LOCAL_MACHINE\SYSTEM\Select\”Default” = “01”
HKEY_LOCAL_MACHINE\SYSTEM\Select\”LastKnownGood” = “01”
”ImagePath” = “%System%\drivers\nmnu.sys”
The following services will be started
- Service name: mrxdmb
- Image Path: %System%\drivers\mrxdmb.sys
When all this done now it will start working
First of all it will connects to the following servers, which are command-and-control servers(C&C)
- after connecting it will try to
- build a back door from the effected computer
- gathers very sensitive information
- sends those files to servers connected
- automatically updates and installs drivers corresponding to it
- if connection was blocked automatically adds proxy
- terminates process and adds data to log file
How to remove?
If you have backup of your registry which was backed up before affection you can back up from that but only after running power eraser tool.