Win32/Kredoor [Threat Name] go to Threat

Win32/Kredoor.AS [Threat Variant Name]

Category trojan
Size 249344 B
Detection created Aug 06, 2010
Detection database version 5346
Aliases Backdoor.Win32.Kredoor.axj (Kaspersky)
  Trojan:Win32/Bumat!rts (Microsoft)
  Trojan.ADH (Symantec)
Short description

Win32/Kredoor.AS is a trojan which tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.


The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion]
    • "VersionEx" = "42.80"
Other information

Win32/Kredoor.AS is a trojan which tries to download other malware from the Internet.


The trojan contains a list of (3) URLs. The trojan generates various URL addresses.


It tries to download a file from the addresses. The HTTP protocol is used.


The file is stored in the following location:

  • %malwarepath%\­%variable%.exe

A string with variable content is used instead of %variable% .


The file is then executed.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • show/hide application windows
  • collect information about the operating system used
  • send gathered information
  • open a specific URL address

The trojan hooks the following Windows APIs:

  • CreateProcessA (kernel32.dll)
  • CreateProcessW (kernel32.dll)
  • WinExec (kernel32.dll)
  • ShellExecuteA (shell32.dll)
  • ShellExecuteW (shell32.dll)
  • ShellExecuteExA (shell32.dll)
  • ShellExecuteExW (shell32.dll)
  • waveOutWrite (winmm.dll)
  • PlaySoundA (winmm.dll)
  • PlaySoundW (winmm.dll)
  • sndPlaySoundA (winmm.dll)
  • sndPlaySoundW (winmm.dll)
  • mciSendCommand (winmm.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.