Home / malwarePDF  

Backdoor:Win32/Kanav.D


First posted on 21 November 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Kanav.D is also known as Win-Trojan/Onlinegamehack.62976.AU (AhnLab), Trojan.Win32.Jorik.Vobfus.ezrx (Kaspersky), Trojan.Vobfus!RoGoL8LAzg0 (VirusBuster), Trojan.PWS.Gamania.30644 (Dr.Web), Trojan.Win32.Jorik (Ikarus).

Explanation :



TrojanDropper:Win32/Kanav.D is a trojan that drops and runs other malware, detected as TrojanDownloader:Win32/Kanav.C.

If your computer is detected with this threat, then it is likely that you have also been infected with TrojanDownloader:Win32/Kanav.C.



Installation

TrojanDropper:Win32/Kanav.D is a DLL file with the same name as the Windows system DLL, "Lpk.dll", which resides in the <system folder>.

The trojan is dropped to folders which contain executable files that, during the normal course of their operation, load "<system folder>/LpK.dll". The folders and executable files could belong to installed, legitimate programs on your computer that are "tricked" into loading the trojan.

When a program attempts to load the legitimate "LpK.dll" file from the <system folder>, it loads TrojanDropper:Win32/Kanav.D instead. This is because an application will look for and load the DLL file in its own folder before it looks for the same-named DLL file in the <system folder>.

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".



Payload

Drops other malware

When an application loads TrojanDropper:Win32/Kanav.D, the trojan drops and runs the following file, detected as TrojanDownloader:Win32/Kanav.C, and sets the file with the "hidden" attribute:

%SystemDrive%\1.exe

Note: %SystemDrive% refers to a variable location that is determined by the malware by querying the operating system. The default location for the SystemRoot folder for Windows 2000, XP, 2003, Vista and 7 is "C:\".

TrojanDropper:Win32/Kanav.D then loads the original Windows system DLL, as was the intent of the application.

Related encyclopedia entries

TrojanDownloader:Win32/Kanav.C



Analysis by Stefan Sellmer

Last update 21 November 2012

 

TOP