Win32/Kasidet [Threat Name] go to Threat

Win32/Kasidet.AA [Threat Variant Name]

Category worm
Size 146104 B
Aliases Trojan.Win32.Inject.uljv (Kaspersky)
  Worm:Win32/Kasidet.B (Microsoft)
Short description

Win32/Kasidet.AA serves as a backdoor. It can be controlled remotely.


The worm searches local drives for files with the following file extensions:

  • .exe

Only following folders are searched:

  • %windir%

The worm copies itself to the following location:

  • %appdata%\­DDS-NTDTSPJSBPO\­%variable1%.exe

The name of the new file is based on the name of the file found in the search.

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%appdata%\­DDS-NTDTSPJSBPO\­%variable1%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%appdata%\­DDS-NTDTSPJSBPO\­%variable1%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "RegId" = %variable2%

A string with variable content is used instead of %variable1-2% .

This causes the worm to be executed on every system start.

The worm creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • filezilla.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe

The worm quits immediately if it is run within a debugger.

The worm quits immediately if the executable file path contains one of the following strings:

  • \­SAMPLE
  • \­VIRUS

The worm quits immediately if the Windows user name is one of the following:


The worm terminates its execution if it detects that it's running in a specific virtual environment.

The worm quits immediately if any of the following applications is detected:

  • Wine
  • Sandboxie
  • SysAnalyzer
Spreading on removable media

Win32/Kasidet.AA is a worm that can be spread via removable media.

The worm copies itself into the root folders of removable drives using a random filename.

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm inserts a copy of itself into RAR archives.

The following names are used:

  • Update.exe
  • DotaMagic.exe
  • VKHackePri8.exe
  • CS16.exe
  • WinUpdate.exe
  • photo_private.exe
  • Tutorial.exe
  • Readme.exe
  • RealPhoto.exe
  • Keygen.exe
  • KIS_keygen.exe
Information stealing

The worm collects the following information:

  • operating system version
  • installed antivirus software
  • computer IP address
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • FTP account information

The worm collects sensitive information when the user browses certain web sites.

The following programs are affected:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox
  • Opera
  • FileZilla

The worm is able to log keystrokes.

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (4) URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • perform DoS/DDoS attacks
  • spread via removable drives
  • execute shell commands
  • send files to a remote computer
  • log keystrokes
  • capture screenshots

The worm keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­N3NNetwork\­arr]
  • [HKEY_CURRENT_USER\­Software\­N3NNetwork\­rate]

The worm hooks the following Windows APIs:

  • HttpSendRequestW (wininet.dll)
  • PR_Write (nss3,.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)

The worm searches local drives for files with the following file extensions:

  • .exe

Only following folders are searched:

  • %allusersprofile%
  • %appdata%
  • %temp%

The worm then deletes the found files.

The worm may terminate specific running processes.

Please enable Javascript to ensure correct displaying of this content and refresh this page.