Win32/Kirly [Threat Name] go to Threat

Win32/Kirly.A [Threat Variant Name]

Category trojan
Size 138240 B
Detection created Dec 09, 2009
Detection database version 4672
Aliases Trojan-Downloader.Win32.Delf.xjc (Kaspersky)
  Win32:Delf-MTK (Avast)
Short description

Win32/Kirly.A is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following files:

  • %programfiles%\­ACDSee\­achelp.dll (150016 B)
  • %programfiles%\­Common Files\­ODBC\­alter.wav (56890 B)
  • %programfiles%\­ACDSee\­36.bat
  • %windows%\­35.bat

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CLASSES_ROOT\­CLSID\­{72BB4C44-DD09-4F26-A317-D88EFF506576}\­InprocServer32]
    • "(Default)" = "%programfiles%\­ACDSee\­achelp.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{7A743737-FB8C-4366-9428-05F9F9766ED5}\­1.0\­0\­win32]
    • "(Default)" = "%programfiles%\­ACDSee\­achelp.dll"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{7A743737-FB8C-4366-9428-05F9F9766ED5}\­1.0]
    • "(Default)" = "MyCopyHook Library"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{7A743737-FB8C-4366-9428-05F9F9766ED5}\­1.0\­HELPDIR]
    • "(Default)" = "%programfiles%\­ACDSee\­"
  • [HKEY_CLASSES_ROOT\­Interface\­{12F8918A-6FE0-452C-B90D-006147867846}]
    • "(Default)" = "ICopyHook"
  • [HKEY_CLASSES_ROOT\­Interface\­{12F8918A-6FE0-452C-B90D-006147867846}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{12F8918A-6FE0-452C-B90D-006147867846}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{12F8918A-6FE0-452C-B90D-006147867846}\­TypeLib]
    • "(Default)" = "{7A743737-FB8C-4366-9428-05F9F9766ED5}"
    • "Version" = "1.0"
  • [HKEY_CLASSES_ROOT\­CLSID\­{72BB4C44-DD09-4F26-A317-D88EFF506576}]
    • "(Default)" = "CopyMain Object"
  • [HKEY_CLASSES_ROOT\­CLSID\­{72BB4C44-DD09-4F26-A317-D88EFF506576}\­TypeLib]
    • "(Default)" = "{7A743737-FB8C-4366-9428-05F9F9766ED5}"
  • [HKEY_CLASSES_ROOT\­CLSID\­{72BB4C44-DD09-4F26-A317-D88EFF506576}\­Version]
    • "(Default)" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Shell Extensions\­Approved]
    • "{72BB4C44-DD09-4F26-A317-D88EFF506576}" = "CopyMain Object"
  • [HKEY_CLASSES_ROOT\­Directory\­shellex\­CopyHookHandlers\­CopyMain]
    • "(Default)" = "{72BB4C44-DD09-4F26-A317-D88EFF506576}"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{7A743737-FB8C-4366-9428-05F9F9766ED5}\­1.0\­FLAGS]
Information stealing

The trojan collects the following information:

  • network adapter information

The trojan can send the information to a remote machine.

Other information

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­UserData]
    • "@%number%" = "%random%"

A string with variable content is used instead of %number%, %random% .


The trojan contains a list of (2) URLs. It tries to download several files from the addresses.


The files are then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.