Home / malware Trojan:Win32/Kovter.B
First posted on 18 January 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Kovter.B.
Explanation :
Threat behavior
Installation
Trojan:Win32/Kovter.B has the file name %APPDATA%\kb\kb .exe, for example, %APPDATA%\KB9112247\KB9112247.exe.
It changes your registry so that it runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "kb"
With data: "%APPDATA%\kb\kb .exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "kb"
With data: "%APPDATA%\kb\kb .exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe, "%APPDATA%\kb\kb .exe""
For example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB9112247"
With data: "%APPDATA%\KB9112247\KB9112247.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "KB9112247"
With data: "%APPDATA%\KB9112247\KB9112247.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe, "%APPDATA%\KB9112247\KB9112247.exe""
It also creates registry entries as infection markers; infection markers are signs that this threat is installed in your PC:
In subkey: HKLM\SOFTWARE\<8-digit hexadecimal number based on the Kovter sample>
Sets value: "1"
With data: "<16-digit hexadecimal number based PC information>"
In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "3"
With data: "%APPDATA%\kb\kb .exe"
In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "4"
With data: "<10-digit number based on Kovter's installation time>"
For example:
In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "1"
With data: "9109FF4AEFCE1111"
In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "3"
With data: "%APPDATA%\KB9112247\KB9112247.exe"
In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "4"
With data: "1389705410"
It checks if it's running in a virtual machine or if any malware analysis tools or debuggers are running in your PC. If so, it stops itself.
Payload
Connects to a server
Trojan:Win32/Kovter.B connects to these servers to receive commands and configuration data from a hacker:
- fz5qiter.biz
- qx5xyngo.org
One of the commands it might receive is to download and run other malware to your PC.
It connects to a different server to send information about your PC:
- cnc2-bt01.biz
It sends information about your PC, like passwords saved by your browsers and cookies.
Locks your screen
This threat might lock your screen, prevent you from accessing your desktop. It might display this message, or something similar:
"Please connect to the internet...."
Disables Task Manager and Registry Editor
This threat prevents you from running these tools:
- Task Manager
- Registry editor
Opens adult-oriented websites
This threat might automatically open a website containing adult content.
Analysis by Steven Zhou
Symptoms
The following could indicate that you have this threat on your PC:
- You cannot access your desktop, and you see a message saying "Please connect to the internet...."
- Your browser might automatically go to a website containing adult content
- You can't run Task Manager or Registry Editor
Last update 18 January 2014