Win32/Kasidet [Threat Name] go to Threat
Win32/Kasidet.AD [Threat Variant Name]
| Category | worm |
| Size | 295424 B |
| Detection created | Aug 20, 2015 |
| Detection database version | 12122 |
| Aliases | Trojan.Win32.SelfDel.blcu (Kaspersky) |
| Trojan.MulDrop6.16162 (Dr.Web) | |
| Trojan:Win32/Dynamer!ac (Microsoft) |
Short description
Win32/Kasidet.AD serves as a backdoor. It can be controlled remotely.
Installation
The worm searches for files with the following file extensions:
- .exe
Only following folders are searched:
- %windir%
It avoids files which contain any of the following strings in their path:
- install
- setup
- update
- patch
The worm copies itself to the following location:
- %appdata%\W2VTWFFiQQxx\%variable%.exe
The name of the new file is based on the name of the file found in the search.
The worm may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable%.exe" = "%appdata%\W2VTWFFiQQxx\%variable%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable%.exe" = "%appdata%\W2VTWFFiQQxx\%variable%.exe"
This causes the worm to be executed on every system start.
The worm schedules a task that causes the following file to be executed daily:
- %appdata%\W2VTWFFiQQxx\%variable%.exe
A string with variable content is used instead of %variable% .
The worm creates and runs a new thread with its own program code within the following processes:
- chrome.exe
- firefox.exe
- iexplore.exe
- maxthon.exe
The worm quits immediately if it is run within a debugger.
The worm quits immediately if the executable file path contains one of the following strings:
- SAMPLE
- VIRUS
- SANDBOX
The worm quits immediately if the Windows user name is one of the following:
- MALTEST
- TEQUILABOOMBOOM
- SANDBOX
- MALWARE
- VIRUS
The worm terminates its execution if it detects that it's running in a specific virtual environment.
The worm quits immediately if any of the following applications is detected:
- Wine
Information stealing
The worm searches memory of running processes and tries to find following information:
- credit card information
The worm collects the following information:
- operating system version
- installed antivirus software
- computer IP address
- malware version
The worm collects sensitive information when the user browses certain web sites.
The following programs are affected:
- Google Chrome
- Internet Explorer
- Maxthon
- Mozilla Firefox
- Opera
The worm is able to log keystrokes.
The worm attempts to send gathered information to a remote machine.
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of (4) URLs. The HTTP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- perform DoS/DDoS attacks
- execute shell commands
- send files to a remote computer
- log keystrokes
- capture screenshots
- redirect network traffic
The worm keeps various information in the following Registry keys:
- [HKEY_CURRENT_USER\Software\W2VTWFFiQQxx\arr]
- [HKEY_CURRENT_USER\Software\W2VTWFFiQQxx\rate]
- [HKEY_CURRENT_USER\Software\W2VTWFFiQQxx\Addr]
The worm hooks the following Windows APIs:
- PR_Write (nss3.dll)
- SSL_write (chrome.dll)
- HttpSendRequestW (wininet.dll)
- InternetWriteFile (wininet.dll)
- InternetConnectW (wininet.dll)
- getaddrinfo (ws2_32.dll)
- GetAddrInfoW (ws2_32.dll)
- gethostbyname (ws2_32.dll)
- WSASend (ws2_32.dll)
The worm may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "EnableSPDY3_0" = 0
The worm may execute the following commands:
- netsh firewall add allowedprogram "%malwarefilepath%" %malwarefilename% ENABLE
- netsh advfirewall firewall add rule name="%malwarefilename%" dir=in action=allow program="%malwarefilepath%"
The performed command creates an exception in the Windows Firewall.
The worm may display a fake error message:
