- Security Center
- English ▾
Size: 878592 bytes
Aliases: Backdoor:Win32/Kelihos.F(Microsoft), TrojanPSW.FTPAgent
Trojan is designed to steal user’s confidential data as well as send targeted spam emails.
Prior to being automatically launched each time Windows is booted on the victim machine, the Trojan creates a link to its executable file in the system registry Run key:
The Trojan adds a registry key:
where it stores service data encrypted.
The Trojan then updates a list of root certificates by downloading files:
The malware then sets up secured connections to the attacker’s servers from which it receives remote commands and data to control the bot:
Depending on the operation required, the following web-resources are called:
The incoming and outgoing traffic is encrypted. From the command server, the malware receives a list of servers to be attacked, a list of servers through which spam emails are to be sent, spam content, links to download and launch files on the user’s PC and commands for the bot. A malicious bot can perform the following actions:
- Perform DoS attacks on the servers indicated above;
- Act as a Proxy server;
- Send spam emails;
- Monitor the network traffic.
To monitor the network traffic, the Trojan uses the "winpcap" library it contains in its body. With the library, the malware intercepts and steals the confidential data from emails, FTP accounts. The malware intercepts traffic with the following strings:
The malware then searches FTP, SFTP, WebDAV clients for the confidential information and collects it:
BulletProof FTP Client 2009
BulletProof FTP Client 2010
CuteFTP 6 Home
CuteFTP 6 Professional
CuteFTP 7 Home
CuteFTP 7 Professional
CuteFTP 8 Home
CuteFTP 8 Professional
FAR Manager FTP
FTP Commander Pro
FTP Commander Deluxe
Total Commander FTP
SoftX FTP Client
In addition, the Trojan steals the Bitcoin wallet:
Being executed, the Trojan tries to update its executable module. The downloaded file is 762888 bytes in size (link).
The Trojan sends spam emails through servers from the list it receives from the command server:
In addition, the Trojan searches for the files with the following file extensions:
And sends spam messages (see below) to the email addresses:
Spreading via USB
The Trojan copies itself to the root folder of all the removable drives with the following name:
To launch the malicious file on the removable drive, the Trojan exploits the CVE-2010-2568 vulnerability. The vulnerability is located in the "CtrlExtIconBase::_GetIconLocationW" function of the "shell32.dll" library which allows launching a malicious file on the removable drive.
The Trojan creates a file:
X:\Shortcut to Sony.lnk
In addition, the Trojan receives names of all folders in the root directory on the removable drive and creates "lnk" files with names of those folders. The Trojan adds the "Hidden", "System", "Read only", "Archive" attributes to all folders.
- Using Task Manager ("How to End a Process with the Task Manager") terminate the Trojan process.
- Delete the original malware file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
- Change passwords for the FTP clients listed above.
- Change confidential Bitcoin data.
- Delete the following parameter of the registry keys ("How to Work with System Registry"):
- Delete the registry key ("How to Work with System Registry"):
- Run a full scan of your computer using the Antivirus program with the updated definition database ("Download Ad-Aware Free").