General explanation
Type: Trojan
Degree of destruction: high
Prevalence: high
Names of the malware:
- Trojan.Win32.Vools
- Trojan.Win64.Vools
Used vulnerability: ms17-010
What is Trojan?
Trojans are types of malware that introduced themselves as healthy and legal software and act similar to useful and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching to an email, etc are ways that trojans use to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible.
What is Vools malware?
Vools trojan is a type of malware that uses vulnerabilities base on EternalBlue and DoublePulsar to distribute. The ultimate goal of this malware is to extract cryptocurrency. Currently, the malware that uses this method of infection prevalence is increasing. This malware is a miner and the goal of it is to use the victim’s system processor to extract Bitcoin.
Technical explanation
Signs of infection
The signs of infection to this malware is the existence of the following files in the victim’s system:
“[SystemRoot]\Windows\System32\Wmassrv.dll”“[SystemRoot]\Windows\System32\EnrollCertXaml.dll”
If in your system you view files such as spoolsv.exe and svchost.exe which are place in one of the following directories, unfortunately, you were attacked by this malware:
“[SystemRoot]\Windows\IME\Microsoft”“[SystemRoot]\Windows\IME\Crypt”“[SystemRoot]\Windows\IME\Daps”“[SystemRoot]\Windows\SpeechsTracing”“[SystemRoot]\Windows\System32\SysprepThemes”“[SystemRoot]\Windows\System32\SecureBootThemes”
These two files use your system vulnerabilities and distribute the malware through the whole local network.
svchost.exe uses EternalBlue to provide a basis for distributing malware to other clients. This action performs installing a backdoor in systems, after detecting all existing IPs in the network.
On the other hand, the spoolsv.exe file is responsible to distribute the malware files in clients connected to the victim’s system after executing svchost.exe and providing the required terms.
Wmassrv.dll will transfer to the victim’s system by spoolsv.exe and injects into the Isass.exe process. It appears in some cases that due to Buffer Overflow the Isass.exe process will be closed. Due to this is a critical process, the system will show critical error and restart by closing this process.
If this critical error does not occur the application will proceed with its normal procedure which includes:
For the Wmassrv.dll file in the victim’s system, service and TaskScheduler will be created. This TaskScheduler will execute Wmassrv.dll by using the rundll32.exe file.
Then it will download the Bitcoin files. The name and the path of bitcoin files may be downloaded by this malware and execute in the victim’s system which is as follows:
“[SystemRoot]\Windows\System32\TasksHostServices.exe”“[SystemRoot]\Windows\System32\SmssServices.exe”
How to deal with it and disinfect the system
To prevent probable infection by malware that uses EternalBlue vulnerability, it is recommended to use the security patch ms17-010 that is provided by Microsoft CO.
IPS section of Padvish Antivirus will detect these types of vulnerabilities and prevent them from entering the victim’s system. Also, Padvish will detect and disinfect this malware.