Home / malwarePDF  

PWS:Win32/Kernak.A


First posted on 04 November 2010.
Source: SecurityHome

Aliases :

PWS:Win32/Kernak.A is also known as TR/Gendal.31104 (Avira), Backdoor.Win32.FreeRemote.jq (Rising AV), Backdoor.Graybird (Symantec).

Explanation :

PWS:Win32/Kernak.A is a detection for installed trojan components that captures keystrokes and drive information and has limited remote access functionality.
Top

PWS:Win32/Kernak.A is a detection for installed trojan components that captures keystrokes and drive information and has limited remote access functionality. InstallationThe trojan may be installed by other malware. If the installation occurrs during a Windows session where the user has administrative privileges, the trojan components may be present as the following files:

  • %windir%\system32\export\logs\wrle.dll
  • %windir%\system32\export\logs\fcomp.gsi
  • Payload Collects and sends potentially sensitive informationThis trojan uses an API "SetKeyboardHook()" from the component "wrle.dll" to capture and log keystrokes into the following file:
  • %windir%\system32\export\logs\<file name>.log
  • The log file name is constructed from the value of the C drive "volume serial number" and current date and time. The trojan also monitors for the insertion of removable media such as a flash or USB drive for the purpose of gathering information about the drive to the log file. For each drive and its subdirectories, the trojan logs the following properties for each file and folder:
  • File names
  • File date & time
  • File size
  • The following information about the operating system is also gathered and stored into the log file:
  • OS version/build
  • Service packs
  • Default user names
  • The trojan uses the component "fcomp.gsi" to send the log file to a remote attacker. The log file is also sent to a remote attacker via HTTP post command. Limited remote access and controlIf a remote attacker is connected to the affected computer, the trojan could allow the attacker to perform the following actions:
  • Upload or download log files containing captured data
  • Execute certain commands such as copy and delete file or folder
  • Capture screen image
  • Gather volume information
  • Start/Stop/Configure USB capturing and keystrokes monitoring
  • Terminate malware threads


  • Analysis by Rodel Finones

    Last update 04 November 2010

     

    TOP