Win32/Kasidet [Threat Name] go to Threat

Win32/Kasidet.AD [Threat Variant Name]

Category worm
Size 295424 B
Detection created Aug 20, 2015
Detection database version 12122
Aliases Trojan.Win32.SelfDel.blcu (Kaspersky)
  Trojan.MulDrop6.16162 (Dr.Web)
  Trojan:Win32/Dynamer!ac (Microsoft)
Short description

Win32/Kasidet.AD serves as a backdoor. It can be controlled remotely.

Installation

The worm searches for files with the following file extensions:

  • .exe

Only following folders are searched:

  • %windir%

It avoids files which contain any of the following strings in their path:

  • install
  • setup
  • update
  • patch

The worm copies itself to the following location:

  • %appdata%\­W2VTWFFiQQxx\­%variable%.exe

The name of the new file is based on the name of the file found in the search.


The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%.exe" = "%appdata%\­W2VTWFFiQQxx\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%.exe" = "%appdata%\­W2VTWFFiQQxx\­%variable%.exe"

This causes the worm to be executed on every system start.


The worm schedules a task that causes the following file to be executed daily:

  • %appdata%\­W2VTWFFiQQxx\­%variable%.exe

A string with variable content is used instead of %variable% .


The worm creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • maxthon.exe

The worm quits immediately if it is run within a debugger.


The worm quits immediately if the executable file path contains one of the following strings:

  • SAMPLE
  • VIRUS
  • SANDBOX

The worm quits immediately if the Windows user name is one of the following:

  • MALTEST
  • TEQUILABOOMBOOM
  • SANDBOX
  • MALWARE
  • VIRUS

The worm terminates its execution if it detects that it's running in a specific virtual environment.


The worm quits immediately if any of the following applications is detected:

  • Wine
Information stealing

The worm searches memory of running processes and tries to find following information:

  • credit card information

The worm collects the following information:

  • operating system version
  • installed antivirus software
  • computer IP address
  • malware version

The worm collects sensitive information when the user browses certain web sites.


The following programs are affected:

  • Google Chrome
  • Internet Explorer
  • Maxthon
  • Mozilla Firefox
  • Opera

The worm is able to log keystrokes.


The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (4) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • perform DoS/DDoS attacks
  • execute shell commands
  • send files to a remote computer
  • log keystrokes
  • capture screenshots
  • redirect network traffic

The worm keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­W2VTWFFiQQxx\­arr]
  • [HKEY_CURRENT_USER\­Software\­W2VTWFFiQQxx\­rate]
  • [HKEY_CURRENT_USER\­Software\­W2VTWFFiQQxx\­Addr]

The worm hooks the following Windows APIs:

  • PR_Write (nss3.dll)
  • SSL_write (chrome.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetWriteFile (wininet.dll)
  • InternetConnectW (wininet.dll)
  • getaddrinfo (ws2_32.dll)
  • GetAddrInfoW (ws2_32.dll)
  • gethostbyname (ws2_32.dll)
  • WSASend (ws2_32.dll)

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "EnableSPDY3_0" = 0

The worm may execute the following commands:

  • netsh firewall add allowedprogram "%malwarefilepath%" %malwarefilename% ENABLE
  • netsh advfirewall firewall add rule name="%malwarefilename%" dir=in action=allow program="%malwarefilepath%"

The performed command creates an exception in the Windows Firewall.


The worm may display a fake error message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.