Home / malware

PDF

Worm:Win32/Kasidet.A

First posted on 30 April 2015.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Kasidet.A.

Explanation :

Threat behavior

Installation

This threat can create a file on your PC using the name of any of the files it finds in the %SystemRoot% directory. For example explorer.exe, hh.exe, or isuninst.exe. It creates this file in the following location:

• %APPDATA% \\, for example %APPDATA%\mymachine\explorer.exe

It creates the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "%APPDATA%\\", for example "%APPDATA%\mymachine\explorer.exe"
With data: "", for example "explorer.exe"

Spreads through...

It can create the following copies on removable drives, such as USB flash drives:

• :\WinUpdate.exe

It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Steals your sensitive information

This threat can collect the following information from your PC:

• PC name
• User name
• Operating system version
• Product ID
• Installed antivirus products
• Local IP address

It also checks to see what Windows version you are running and if you have administrator privileges.

Contacts a remote host

The stolen information is sent to the malware's command and control (C&C) server. We have seen it connect to the following servers:

• abbeytraders.co.uk
• bungee-bumper.de
• hilarybateman.co.za
• lonehillbedandbreakfast.co.za
• merseysidedogshome.org
• project7.co.za
• safarisa.net
• xtronics.in

Once connected to its C&C server the worm can also receive the following commands from a malicious hacker:

• Download and run files
• Record which keys you press
• Participate in DoS attacks
• Update itself
• Delete files and registry entries
• Find files on your PC
• Modify the system Hosts file
• Visit a URL using a hidden desktop
• Set the interval for retrieving commands from C&C

Additional information

Creates a mutex

This threat can create the following mutexes:

• 
  
  n3nmtx
  
  
• 
  
  protected_n3utrino
  
  

This can be an infection marker to prevent more than one copy of the threat running on your PC.



Analysis by Jasper Manuel

Symptoms

The following can indicate that you have this threat on your PC:

• You have these files:
  
  %APPDATA%\\, for example %APPDATA%\mymachine\explorer.exe
  
• You see these entries or keys in your registry
  
  In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  Sets value: "%APPDATA%\\", for example "%APPDATA%\mymachine\explorer.exe"
  With data: "", for example "explorer.exe"

Last update 30 April 2015

 

TOP