Home / malware TrojanDownloader:Win32/Kanav.C
First posted on 07 September 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Kanav.C is also known as Packed.Win32.Klone.bu (Kaspersky).
Explanation :
TrojanDownloader:Win32/Kanav.C downloads and runs other files. It deletes a registry entry related to the gaming service "Battle.net".
Installation
When run, TrojanDownloader:Win32/Kanav.C copies itself as the following file:
%Systemroot%\system32\vmtoolsd.exe
It creates the following registry entry so that it automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{Random CLSID}
Sets value: "stubpath"
With data: "%Systemroot%\system32\vmtoolsd.exe"
Payload
Downloads other files
TrojanDownloader:Win32/Kanav.C downloads and runs a file from the server "issuejeju.com". As of this writing, the file is unavailable.
Deletes registry keys
TrojanDownloader:Win32/Kanav.C deletes the following registry key, related to the gaming service "Battle.net", if it exists:
HKCU\Software\Blizzard Entertainment\Battle.net\Identity
Analysis by Stefan Sellmer
Last update 07 September 2012
