Win32/Kovter [Threat Name] go to Threat
Win32/Kovter.A [Threat Variant Name]
| Category | trojan |
| Size | 165927 B |
| Aliases | Trojan-Dropper.Win32.Injector.kdjv (Kaspersky) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Short description
When executed, the trojan copies itself in some of the the following locations:
- %commonappdata%\Microsoft\{%variable%}\{%variable%}.exe
- %localappdata%\Microsoft\{%variable%}\{%variable%}.exe
- %localappdata%\{%variable%}\{%variable%}.exe
- %appdata%\{%variable%}\{%variable%}.exe
- %windir%\{%variable%}\{%variable%}.exe
A string with variable content is used instead of %variable% .
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "{%variable%}" = "%malwarefilepath%"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
- "{%variable%}" = "%malwarefilepath%"
The trojan launches the following processes:
- %defaultbrowser%
- explorer.exe
- svchost.exe
- %originalmalwarefile%
The trojan creates and runs a new thread with its own code within these running processes.
The trojan creates a new user account with the username:
- NETWORK SERVICE
and the password:
- KCYmap719!
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]
- ".Default" = 1
- [HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1400" = 0
- "1402" = 0
- "1407" = 0
- "1206" = 0
- "1601" = 0
- "2300" = 0
- "1809" = 0
- [HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1400" = 0
- "1402" = 0
- "1407" = 0
- "1206" = 0
- "1601" = 0
- "2300" = 0
- "1809" = 0
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
- "Display Inline Images" = "yes"
- "Enable AutoImageResize" = "yes"
- "Play_Animations" = "yes"
- "UseThemes" = "yes"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
- "%malwarefilename%" = %variable%
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_INPUT_PROMPTS]
- "%malwarefilename%" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
- "NETWORK SERVICE" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
- "limitblankpassworduse" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
- "limitblankpassworduse" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Lsa]
- "limitblankpassworduse" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
- "limitblankpassworduse" = 0
- [HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating]
- ".Current" = ""
A string with variable content is used instead of %variable% .
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- uninstall itself
The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.
The trojan keeps various information in the following Registry keys:
- [HKEY_LOCAL_MACHINE\SOFTWARE\%variable%]
- [HKEY_CURRENT_USER\SOFTWARE\%variable%]
A string with variable content is used instead of %variable% .
The following programs are terminated:
- java.exe
- javaw.exe
- javaws.exe
- taskmgr.exe
- TM.exe
The trojan hooks the following Windows APIs:
- CoCreateInstance (ole32.dll)
- CreateProcessA (kernel32.dll)
- CreateProcessW (kernel32.dll)
- DirectSoundCreate (dsound.dll)
- DirectSoundCreate8 (dsound.dll)
- InternetReadFile (wininet.dll)
- MessageBoxA (user32.dll)
- MessageBoxW (user32.dll)
- OpenProcess (kernel32.dll)
- PostMessageA (user32.dll)
- ShellExecuteA (shell32.dll)
- ShellExecuteExA (shell32.dll)
- ShellExecuteExW (shell32.dll)
- ShellExecuteW (shell32.dll)
- waveOutWrite (Winmm.dll)
- WinExec (kernel32.dll)