Home / malware Trojan:Win32/Kilim.B
First posted on 12 February 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Kilim.B.
Explanation :
Threat behavior
Installation
Trojan:Win32/Kilim.B copies itself to %windir%\exflash\flashplayer.exe. The malware creates the following files on your PC:
- %windir%\exflash\king.txt
- %windir%\exflash\mzÂ
- %windir%\exflash\setup.xml
Payload
Changes system security settings
Trojan:Win32/Kilim.B disables the Least Privileged User Account (LUA), also known as the ?administrator in Admin Approval Mode? user type. It does this by making the following registry modifications:
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Note: Disabling the LUA allows all applications to run by default with all administrative privileges. You won't be asked for explicit consent. Contacts remote host
The malware might contact a remote host at sosyalmsn.com using port 80. Commonly, malware does this to:This malware description was produced and published using automated analysis of file SHA1 a331f67271b3488ef443d0736830ec5aabc93b77.Symptoms
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
%windir%\exflash\flashplayer.exe
%windir%\exflash\king.txt
%windir%\exflash\mzÂ
%windir%\exflash\setup.xml
- You see these entries or keys in your registry:
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemLast update 12 February 2014
