Win32/Koutodoor [Threat Name] go to Threat

Win32/Koutodoor.ER [Threat Variant Name]

Category trojan
Size 54272 B
Detection created Nov 13, 2009
Detection database version 4603
Aliases Trojan.Win32.Zybr.ahj (Kaspersky)
  Trojan:Win32/Koutodoor.B (Microsoft)
  Trojan.Siggen.22580 (Dr.Web)
Short description

Win32/Koutodoor.ER is a trojan that steals sensitive information. The trojan can send the information to a remote machine. The file is run-time compressed using UPX . It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %system%\­drivers\­%random1%.sys (29600 B)
  • %system%\­%random2%.dll (36864 B)

A string with variable content is used instead of %random1%, %random2% .


Installs the following system drivers (path, name):

  • %system%\­drivers\­%random1%.sys, %random3%

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%random3%\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "%random3%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%random3%\­0000]
    • "Service" = "%random3%"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "%random3%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%random3%]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%random3%\­Security]
    • "Security" = %hex_value%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%random3%]
    • "Type" = 1
    • "Start" = 0
    • "ErrorControl" = 1
    • "ImagePath = "%system%\­drivers\­%random1%.sys"
    • "DisplayName" = "%random3%"

A string with variable content is used instead of %random3% .

Information stealing

Win32/Koutodoor.ER is a trojan that steals sensitive information.


The trojan collects the following information:

  • network adapter information
  • type of Internet connection
  • Internet Explorer homepage
  • malware version

The trojan can send the information to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used.

Other information

The trojan modifies the following file:

  • %system%\­drivers\­etc\­hosts

The trojan writes the following entries to the file:

  • 127.0.0.1 localhost

The trojan hooks the following Windows APIs:

  • ZwQueryValueKey (ntdll.dll)

The trojan opens the following URLs in Internet Explorer :

  • www.9348.cn/?2054=1

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%variable%" = "%system%\­rundll32.exe %system%\­%random2%.dll,DllRegisterServer"

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.