Home / malware Trojan.Kobcka
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.Kobcka.
Explanation :
When execute, Trojan.Kobcka creates the following files:
%windows%startdrv.exe%system32%MailSpectre.exe%system32%
untime2.sys%system32%smtpdrv.sys
Trojan.Kobcka has two main components: a mass mailer and a rootkit.
The Rootkit:
Attaches to the following native api functions by hooking the System Service Descriptor Table:
ZwOpenKeyZwEnumerateKeyZwSetValueKeyZwDeleteValueKeyZwEnumerateValueKey
This way, the virus manages to hide the registry keys it creates;
For the process to start in safe mode, it creates the following registry keys:
HKLMSYSTEMCurrentControlSetControlSafeBootMinimal
untime2.sysHKLMSYSTEMCurrentControlSetControlSafeBootNetwork
untime2.sys
The virus also intercepts every process that is being created. This way it hides his process from taskmanager and from other programs that might detect it.
The MassMailer:
When executed, it first tries to connect to 206.66.[hide].[hide] on port 2531. When connected, it sends sensitive information about the infected computer (such as the version of the operating system and the port that the virus can receive data). It then waits to receive a certain command (so the virus could also be considered a backdoor) and some data. The data transmitted over the network is encrypted using the string “Poshel-ka ti na hui drug aver” and decrypted with the string “reva grud iuh an it ak-lehsoP”.
Based on the operating system of the infected computer, the virus tries to download a file form a certain address: http://67.18.114.98/**** . The file is saved in %Temp% folder and when it is executed it drops the same files described above. (It works as an update).
The file has its own smtp server which tries to connect to the following addresses and send e-mails:
mxs.mail.ru
gmail-smtp-in.l.google.com gsmtp183.google.com in1.smtp.messagingengine.com
mail7.digitalwavez.co.nzLast update 21 November 2011
