Home / malware Backdoor:Win32/Koceg.AB
First posted on 19 June 2009.
Source: SecurityHomeAliases :
Backdoor:Win32/Koceg.AB is also known as Also Known As:Win32/Donloz.GZ (CA), Win32/Zalup (ESET).
Explanation :
Backdoor:Win32/Koceg.AB is the detection for a trojan backdoor that steals FTP credentials and may be instructed to download and install other malicious files from remote Web sites.
Symptoms
System changesThe following system changes may indicate the presence of this malware:The presence of the following files:
<system folder>driversservices.exe
%HOMEPATH%svchost.exe
<startup folder>userinit.exeThe presence of the following registry modifications:
Added value: "[system]"
With data: "<system folder>driversservices.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Added value: "[system]"
With data: "<system folder>driversservices.exe"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Added value: "ImagePath"
With data: "<system folder>driversservices.exe"
To subkey: HKLMSYSTEMCurrentControlSetServicesSchedule
Added value: "Userinit"
With data: "<system folder>userinit.exe,<system folder>driversservices.exe"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Backdoor:Win32/Koceg.AB is the detection for a trojan backdoor that steals FTP credentials and may be instructed to download and install other malicious files from remote Web sites.
Installation
Backdoor:Win32/Koceg.AB drops itself as the following files:<system folder>driversservices.exe %HOMEPATH%svchost.exe <startup folder>userinit.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Note that 'services.exe', 'svchost.exe', and 'userinit.exe' are all file names also used by legitimate Windows files and are installed by default in the Windows system folder. It also creates the following file in which it later stores gathered FTP credentials:%SystemDrive%Thunbs.db It modifies the system registry so that its copies automatically run every time Windows starts: Adds value: "[system]"
With data: "<system folder>driversservices.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "[system]"
With data: "<system folder>driversservices.exe"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "ImagePath"
With data: "<system folder>driversservices.exe"
To subkey: HKLMSYSTEMCurrentControlSetServicesSchedule Adds value: "Userinit"
With data: "<system folder>userinit.exe,<system folder>driversservices.exe"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Payload
Performs backdoor functionalitiesBackdoor:Win32/Koceg.AB monitors the system for FTP credentials, which it stores in 'Thunbs.db'. The gathered information is then sent to remote Web sites. It also listens for commands from a remote attacker, for example, to download and execute other malware from certain Web sites on the system. Some of the sites it is known to connect to are:odmina.ru odmi-na.ru
Analysis by Jireh SanicoLast update 19 June 2009
