Win32/Koutodoor [Threat Name] go to Threat

Win32/Koutodoor.EN [Threat Variant Name]

Category trojan
Size 55808 B
Aliases Trojan.Win32.Zybr.aej (Kaspersky)
  MultiDropper-TM (McAfee)
  Trojan:Win32/Koutodoor.B (Microsoft)
Short description

Win32/Koutodoor.EN is a trojan that steals sensitive information. The trojan can send the information to a remote machine. The file is run-time compressed using UPX . It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %system%\­drivers\­%random1%.sys (29056 B)
  • %system%\­%random2%.dll (32768 B)

A string with variable content is used instead of %random1%, %random2%, .


The trojan executes the following command:

  • %system%\­rundll32.exe %system%\­%random2%.dll,DllRegisterServer

Installs the following system drivers (path, name):

  • %system%\­drivers\­%random1%.sys, %random3%

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%random3%\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "%random3%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%random3%\­0000]
    • "Service" = "%random3%"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "%random3%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%random3%]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%random3%\­Security]
    • "Security" = %hex_value%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%random3%]
    • "Type" = 1
    • "Start" = 0
    • "ErrorControl" = 1
    • "ImagePath = "%system%\­drivers\­%random1%.sys"
    • "DisplayName" = "%random3%"

A string with variable content is used instead of %random3%, .

Information stealing

Win32/Koutodoor.EN is a trojan that steals sensitive information.


The trojan collects the following information:

  • network adapter information
  • type of Internet connection
  • Internet Explorer homepage
  • malware version

The trojan can send the information to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used.

Other information

The trojan modifies the following file:

  • %system%\­drivers\­etc\­hosts

The trojan writes the following entries to the file:

  • 127.0.0.1  localhost

The trojan hooks the following Windows APIs:

  • ZwQueryValueKey (ntdll.dll)

The trojan opens the following URLs in Internet Explorer :

  • www.9348.cn/?20541

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%variable%" = "%system%\­rundll32.exe %system%\­%random2%.dll,DllRegisterServer"

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.