Win32/Knock [Threat Name] go to Threat

Win32/Knock.AA [Threat Variant Name]

Category trojan
Size 65024 B
Detection created Jul 17, 2009
Detection database version 4255
Aliases Backdoor.Win32.Agent.aiis (Kaspersky)
  PWS:Win32/Prast!rts (Microsoft)
  Generic.BackDoor!gb (McAfee)
Short description

Win32/Knock.AA is a trojan which tries to download other malware from the Internet. It can be controlled remotely. The trojan is designed to artificially generate traffic to certain Internet sites. The trojan sends requests to simulate clicks on banner advertisements, to inflate web counter statistics etc. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­explore.exe (65024 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "explore" = "%system%\­explore.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe "%system%\­explore.exe""
Other information

The trojan contains an URL address.


It tries to download a file from the address.


The file is stored in the following location:

  • %system%\­explore.exe%random%.exe

The variable %random% represents a variable 3 digit number.


The file is then executed.


The trojan acquires data and commands from a remote computer or the Internet.


It can execute the following operations:

  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address

The trojan is designed to artificially generate traffic to certain Internet sites.


The trojan sends requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan terminates processes with any of the following strings in the name:

  • explore.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.