Win32/Kasidet [Threat Name] go to Threat

Win32/Kasidet.AA [Threat Variant Name]

Category worm
Size 146104 B
Detection created Dec 11, 2014
Detection database version 10864
Aliases Trojan.Win32.Inject.uljv (Kaspersky)
  Worm:Win32/Kasidet.B (Microsoft)
Short description

Win32/Kasidet.AA serves as a backdoor. It can be controlled remotely.

Installation

The worm searches local drives for files with the following file extensions:

  • .exe

Only following folders are searched:

  • %windir%

The worm copies itself to the following location:

  • %appdata%\­DDS-NTDTSPJSBPO\­%variable1%.exe

The name of the new file is based on the name of the file found in the search.


The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%appdata%\­DDS-NTDTSPJSBPO\­%variable1%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%appdata%\­DDS-NTDTSPJSBPO\­%variable1%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "RegId" = %variable2%

A string with variable content is used instead of %variable1-2% .


This causes the worm to be executed on every system start.


The worm creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • filezilla.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe

The worm quits immediately if it is run within a debugger.


The worm quits immediately if the executable file path contains one of the following strings:

  • \­SAMPLE
  • \­VIRUS
  • SANDBOX

The worm quits immediately if the Windows user name is one of the following:

  • MALTEST
  • TEQUILABOOMBOOM
  • SANDBOX
  • MALWARE

The worm terminates its execution if it detects that it's running in a specific virtual environment.


The worm quits immediately if any of the following applications is detected:

  • Wine
  • Sandboxie
  • SysAnalyzer
Spreading on removable media

Win32/Kasidet.AA is a worm that can be spread via removable media.


The worm copies itself into the root folders of removable drives using a random filename.


The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Spreading

The worm inserts a copy of itself into RAR archives.


The following names are used:

  • Update.exe
  • DotaMagic.exe
  • VKHackePri8.exe
  • CS16.exe
  • WinUpdate.exe
  • photo_private.exe
  • Tutorial.exe
  • Readme.exe
  • RealPhoto.exe
  • Keygen.exe
  • KIS_keygen.exe
Information stealing

The worm collects the following information:

  • operating system version
  • installed antivirus software
  • computer IP address
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • FTP account information

The worm collects sensitive information when the user browses certain web sites.


The following programs are affected:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox
  • Opera
  • FileZilla

The worm is able to log keystrokes.


The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (4) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • perform DoS/DDoS attacks
  • spread via removable drives
  • execute shell commands
  • send files to a remote computer
  • log keystrokes
  • capture screenshots

The worm keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­N3NNetwork\­arr]
  • [HKEY_CURRENT_USER\­Software\­N3NNetwork\­rate]

The worm hooks the following Windows APIs:

  • HttpSendRequestW (wininet.dll)
  • PR_Write (nss3,.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)

The worm searches local drives for files with the following file extensions:

  • .exe

Only following folders are searched:

  • %allusersprofile%
  • %appdata%
  • %temp%

The worm then deletes the found files.


The worm may terminate specific running processes.

Please enable Javascript to ensure correct displaying of this content and refresh this page.