Backdoor.Win32.Kelihos_5e61b79041

by malwarelabrobot on September 11th, 2013 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Backdoor.Win32.Kelihos.FD (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 5e61b79041a85d12401b7d6d950d0738
SHA1: f9b12d6319f074aa47999ff5983ffe90cf65cf0c
SHA256: dca6dbfcb4d7bb6974ca8db0243e57000c3fa538912bf209fa594628700256a5
SSDeep: 24576:ADMWCVCJ Bnk 2n6zBQRcZG3BqzdqfsIFB9RuzKEKX:lVy 1kZz B3BqzcsIFB9RQiX
Size: 1142245 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2002-03-27 05:15:00


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

The Backdoor injects its code into the following process(es):

5e61b79041a85d12401b7d6d950d0738.exe:1540

File activity

The process 5e61b79041a85d12401b7d6d950d0738.exe:1540 makes changes in a file system.
The Backdoor deletes the following file(s):

C:\tmp.exe (0 bytes)

Registry activity

The process 5e61b79041a85d12401b7d6d950d0738.exe:1540 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 DB 4B F9 80 D5 3F DC 57 A4 16 F3 B2 B5 37 90"

[HKCU\Software\Microsoft\Notepad]
"sizeCompletedValid" = "DNmZIYhlspG4ay0uohJzbpaSVoABj8znyYL7c22GkGuV/k4 JijkaEb8GyURqD0FQQ=="

[HKCU\Software\Sysinternals\Process Monitor]
"UrlEnabledUse" = "80"

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"EnableStationQueries" = "1"

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"ComputerName" = "XP3"

[HKCU\Software\Microsoft\Notepad]
"infoPlayedCurrent" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"DBSavedUse" = "A2 49 4D F3 D9 1E 9F 88 01 01 08 61 00 02 01 10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Sysinternals\Process Monitor]
"FlagsModifiedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Notepad]
"styleModifiedPrev" = "80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"PlatformCompressedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"PersistentLocalizedName" = "D6 80 F9 7F 7A A3 B2 5C 1A D9 D9 BE 8D 3B 4B 02"

[HKCU\Software\Sysinternals\Process Monitor]
"DefaultCompressedRecord" = "D6 80 F9 7F 73 5A 9C F6 B5 BF 20 C7 10 A9 35 32"

[HKCU\Software\Microsoft\Notepad]
"activeModifiedTheme" = "D6 80 F9 7F 87 AB BC 7C 56 61 5C 58 E7 43 C5 29"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"RecordEnabledCheck" = "80"

[HKCU\Software\Sysinternals\Process Monitor]
"RecordModifiedMax" = "DNmZIYhlspG4ay0uohJzbpaSVoABj8znyYL7c22GkGuV/k4 JijkaEb8GyURqD0FQQ=="

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"UserName" = "%CurrentUserName%"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"LineLoadedQuick" = "DNmZIYhlspG4ay0uohJzbpaSVoABj8znyYL7c22GkGuV/k4 JijkaEb8GyURqD0FQQ=="

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkVerifyer" = "c:\5e61b79041a85d12401b7d6d950d0738.exe"

Network activity (URLs)

URL IP
hxxp://178.211.139.155/main.htm (Malicious)
hxxp://178.211.139.155/install.htm (Malicious)
hxxp://46.137.115.54/OEWINN
hxxp://176.34.127.136/OEWINN
hxxp://ec2-176-34-127-136.eu-west-1.compute.amazonaws.com/OEWINN
hxxp://ec2-46-137-115-54.eu-west-1.compute.amazonaws.com/OEWINN


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate the original Backdoor's process (How to End a Process With the Task Manager).
  2. Delete the original Backdoor file.
  3. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NetworkVerifyer" = "c:\5e61b79041a85d12401b7d6d950d0738.exe"

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.