Trojan Turla, its History and How it Affects Windows System

Today the super topic on cryptpro to discuss about Trojan turla.

Turla is one of the most recent malware that has been dis

History

Turla was first discovered in January 13th of 2014. It was last updated on August 8th of 2014.

Almost all windows systems got effected which are running windows 2000, windows 7, windows 95, windows 98, windows Me, windows NT, windows server 2003, windows server 2008, windows xp

How it works at the backend?

When the Trojan is executed it creates several files and these details are about the windows systems. Now recently this Trojan also targeted linux systems. In my next article I am going to say about that.

  • %CurrentFolder%\SPUNINST\vt.bin
  • %Windir%\resin.bin
  • %System%\vtmon.bin
  • %System%\drivers\mrxdmb.sys
  • %System%\drivers\nmnu.sys
  • %Windir%\$NtU*\mtmon.sdb
  • %Windir%\$NtU*\scmp.bin
  • %Windir%\$NtU*\cmp.bin

The following registry entries will be taken place

The following services will be started

  • Service name: mrxdmb
  • Image Path: %System%\drivers\mrxdmb.sys

When all this done now it will start working

First of all it will connects to the following servers, which are command-and-control servers(C&C)

  • nightday.comxa.com
  • sanky.sportsontheweb.net
  • tiger.netii.net
  • north-area.bbsindex.com
  1. after connecting it will try to
  2. build a back door from the effected computer
  3. gathers very sensitive information
  4. sends those files to servers connected
  5. automatically updates and installs drivers corresponding to it
  6. if connection was blocked automatically adds proxy
  7. terminates process and adds data to log file

How to remove?

There are several tools to remove that but I am going to suggest you the Symantec ones. Symantec power eraser will protect you. Click here to download.

If you have backup of your registry which was backed up before affection you can back up from that but only after running power eraser tool.