Win32/Coolvidoor [Threat Name] go to Threat

Win32/Coolvidoor.AB [Threat Variant Name]

Category trojan
Size 173056 B
Detection created May 12, 2010
Detection database version 5107
Aliases Win32:Malware-gen (Avast)
  Generic20.ABZF.trojan (AVG)
  BDS/Backdoor.Gen (Avira)
  Backdoor.Generic.697561 (BitDefender)
  HEUR:Trojan.Win32.Generic (Kaspersky)
  Backdoor:Win32/Coolvidoor.G (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­%originalmalwarefilename%
  • %system%\­%originalmalwarefilename%
  • %systemdrive%\­%originalmalwarefilename%
  • %currentfolder%\­%originalmalwarefilename%

The file name may vary depending on the current settings stored in the malware executable.


The location may vary depending on the current settings stored in the malware executable.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%malwarefilepath%"

A string with variable content is used instead of %variable% .


The trojan removes system restore points.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Coolvidoor.AB is a trojan that steals sensitive information.


The trojan collects the following information:

  • computer IP address
  • user name
  • computer name
  • CPU information
  • installed antivirus software
  • installed firewall application
  • operating system version
  • current screen resolution
  • list of disk devices and their type
  • a list of recently visited URLs
  • the path to specific folders
  • list of running services

The trojan is able to log keystrokes.


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The TCP/IP protocol is used in the communication.


It can execute the following operations:

  • send the list of running processes to a remote computer
  • terminate running processes
  • show/hide application windows
  • manipulate application windows
  • simulate user's input (clicks, taps)
  • turn the display off
  • open the CD/DVD drive
  • block keyboard and mouse input
  • steal information from the Windows clipboard
  • stop itself for a certain time period
  • shut down/restart the computer
  • log off the current user
  • send list of installed applications
  • change the home page of web browser
  • display a dialog window
  • send the list of disk devices and their type to a remote computer
  • send the list of files on a specific drive to a remote computer
  • delete files
  • delete folders
  • create folders
  • play sound/video
  • capture webcam picture
  • create Registry entries
  • delete Registry entries
  • start/stop services
  • capture screenshots
  • send requested files
  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­WinHddso1]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­WinHddso1]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­WinSounddrv1A1]

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1

Please enable Javascript to ensure correct displaying of this content and refresh this page.