Win32/Kelihos [Threat Name] go to Threat

Win32/Kelihos.E [Threat Variant Name]

Category trojan
Size 889344 B
Aliases Trojan:Win32/Malagent (Microsoft)
  GenericBackDoor.xf.trojan (McAfee)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using MYSTIC .

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MozillaAgent" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MozillaAgent" = "%malwarefilepath%"

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­software\­Mozilla]
    • "ID" = "%variable1%"
    • "ID2" = "%variable2%"
    • "ID3" = "%variable3%"
    • "AppID" = "%variable4%"

A string with variable content is used instead of %variable1-4% .


By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.


The trojan creates the following files:

  • %windir%\­system32\­drivers\­Packet.dll (100880 B, WinPcap application)
  • %windir%\­system32\­drivers\­wpcap.dll (281104 B, WinPcap application)
  • %windir%\­system32\­drivers\­npf.sys (50704 B, WinPcap application)
Information stealing

Win32/Kelihos.E is a trojan that steals sensitive information.


The trojan collects the following information:

  • FTP account information
  • Bitcoin wallet contents
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • e-mail addresses

The following programs are affected:

  • 32bit FTP
  • BitKinex
  • BulletProof FTP Client
  • Classic FTP
  • Core FTP
  • CuteFTP
  • Directory Opus
  • Far Manager
  • FFFTP
  • FileZilla
  • Flash FXP
  • Fling
  • Frigate3 FTP
  • FTP Commander
  • FTP Commander Pro
  • FTP Control
  • FTP Explorer
  • FTPRush
  • LeapFTP
  • NetDrive
  • SecureFX
  • SmartFTP
  • SoftX FTP Client
  • Total Commander
  • TurboFTP
  • UltraFXP
  • Web Site Publisher
  • WebDrive
  • Windows Commander
  • WinSCP
  • WS_FTP

The trojan gathers e-mail addresses from all local files.


It avoids files with the following extensions:

  • .7z
  • .avi
  • .bmp
  • .class
  • .dll
  • .exe
  • .gif
  • .gz
  • .hxd
  • .hxh
  • .hxn
  • .hxw
  • .jar
  • .jpeg
  • .jpg
  • .mov
  • .mp3
  • .msi
  • .ocx
  • .ogg
  • .png
  • .rar
  • .vob
  • .wav
  • .wave
  • .wma
  • .wmv
  • .zip

The trojan attempts to send gathered information to a remote machine.

Spreading on removable media

The trojan spreads by exploiting a vulnerability in the operating system of the targeted machine. It exploits the CVE-2010-2568 vulnerability.


The trojan copies itself into the root folders of removable drives using the following name:

  • ggl1.tmp

The following files are dropped in the same folder:

  • ggl.tmp (85504 B, Win32/Kelihos.A)
  • Shortcut to google.lnk (392 B, LNK/Exploit.CVE-2010-2568)
  • Copy of Shortcut to google.lnk (392 B, LNK/Exploit.CVE-2010-2568)
  • Copy of Copy of Shortcut to google.lnk (392 B, LNK/Exploit.CVE-2010-2568)

The Windows Shell allows local users or remote attackers to execute arbitrary code via a crafted *.lnk, *.pif shortcut file when its icon is displayed.


By exploiting this vulnerability, an attacker may be able to execute remote arbitrary code on a vulnerable system.


No further user interaction is required to execute arbitrary code.


Thus, the trojan ensures it is started each time infected media is inserted into the computer.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of computers (peers) which can be used for exchanging information and instructions for further action (in the format: "IP address:Port"):

  • 46.46.87.2:80
  • 95.180.187.10:80
  • 31.41.8.11:80
  • 81.190.178.12:80
  • 31.170.134.13:80
  • 77.239.13.16:80
  • 190.94.237.18:80
  • 78.84.52.19:80
  • 212.22.222.21:80
  • 66.91.51.23:80
  • 77.239.66.28:80
  • 62.215.166.29:80
  • 72.185.8.30:80
  • 130.212.18.31:80
  • 91.220.90.33:80
  • 164.15.100.35:80
  • 188.230.107.39:80
  • 178.165.110.39:80
  • 85.24.199.48:80
  • 89.116.28.49:80
  • 84.122.24.50:80
  • 213.113.51.50:80
  • 109.97.89.50:80
  • 89.34.249.50:80
  • 130.43.140.53:80
  • 91.67.33.54:80
  • 203.192.244.54:80
  • 161.116.73.55:80
  • 187.184.33.56:80
  • 31.170.135.56:80
  • 175.205.116.57:80
  • 138.100.53.58:80
  • 220.227.55.58:80
  • 88.222.176.59:80
  • 213.92.178.59:80
  • 89.36.248.59:80
  • 77.211.89.63:80
  • 61.61.219.64:80
  • 89.229.221.64:80
  • 84.123.246.64:80
  • 95.68.42.66:80
  • 77.81.50.66:80
  • 67.165.216.66:80
  • 190.1.52.70:80
  • 85.15.204.72:80
  • 31.170.137.74:80
  • 147.156.158.75:80
  • 83.165.109.76:80
  • 112.210.141.77:80
  • 92.115.148.80:80
  • 46.249.135.84:80
  • 94.251.189.86:80
  • 212.79.117.87:80
  • 95.208.19.88:80
  • 176.31.157.88:80
  • 186.136.112.89:80
  • 70.60.52.91:80
  • 98.149.251.96:80
  • 93.118.210.100:80
  • 217.144.24.102:80
  • 89.149.80.102:80
  • 69.47.94.103:80
  • 78.60.238.104:80
  • 82.75.33.106:80
  • 96.10.251.108:80
  • 178.148.70.112:80
  • 78.31.229.112:80
  • 178.201.246.114:80
  • 82.81.28.115:80
  • 186.137.172.116:80
  • 87.206.233.118:80
  • 93.176.232.119:80
  • 89.228.43.120:80
  • 46.105.114.120:80
  • 84.42.131.121:80
  • 65.185.100.122:80
  • 221.147.70.123:80
  • 24.163.56.124:80
  • 188.140.87.124:80
  • 31.220.253.124:80
  • 71.204.9.125:80
  • 161.111.80.126:80
  • 85.122.82.126:80
  • 31.47.25.127:80
  • 24.2.231.128:80
  • 174.61.35.130:80
  • 89.74.18.131:80
  • 201.239.59.131:80
  • 78.106.78.131:80
  • 62.84.45.133:80
  • 84.52.147.133:80
  • 178.235.32.135:80
  • 95.65.98.137:80
  • 212.7.28.138:80
  • 89.253.176.139:80
  • 188.2.2.140:80
  • 69.27.61.144:80
  • 78.96.228.144:80
  • 173.19.16.146:80
  • 69.249.0.148:80
  • 68.114.12.150:80
  • 75.76.3.154:80
  • 98.197.69.154:80
  • 142.104.19.158:80
  • 84.231.7.163:80
  • 109.225.69.164:80
  • 190.83.202.166:80
  • 62.82.154.167:80
  • 78.97.209.173:80
  • 62.43.57.174:80
  • 85.186.123.178:80
  • 109.251.146.180:80
  • 187.22.64.181:80
  • 109.90.34.183:80
  • 95.58.206.192:80
  • 61.58.74.193:80
  • 178.150.189.193:80
  • 68.57.27.194:80
  • 85.155.141.195:80
  • 184.58.129.198:80
  • 130.243.188.198:80
  • 94.52.223.200:80
  • 31.133.33.201:80
  • 176.8.100.204:80
  • 46.109.139.204:80
  • 31.47.22.205:80
  • 31.133.37.212:80
  • 201.248.107.212:80
  • 85.216.190.212:80
  • 68.53.200.215:80
  • 31.129.112.219:80
  • 74.71.105.220:80
  • 109.122.5.224:80
  • 89.47.58.225:80

It may perform the following actions:

  • perform DoS/DDoS attacks
  • set up a proxy server
  • monitor network traffic
  • send spam

The trojan uses the hardware resources of the infected computer for mining the Bitcoin digital currency.

Please enable Javascript to ensure correct displaying of this content and refresh this page.