Home / malwarePDF  

Win32/Koutodoor


First posted on 07 April 2012.
Source: Microsoft

Aliases :

There are no other names known for Win32/Koutodoor.

Explanation :

Win32/Koutodoor is a malware family that is capable of changing the Internet Explorer home page and downloading arbitrary files from certain servers. It can also open certain webpages using Internet Explorer.


Top

Win32/Koutodoor is a malware family that is capable of changing the Internet Explorer home page and downloading arbitrary files from certain servers. It can also open certain webpages using Internet Explorer.



Installation

Win32/Koutodoor drops the following components:

  • %TEMP%\<random characters>.exe - for example, "monney.exe"; this contains the malware payload
  • %TEMP%\<random characters>.bat - for example, "xanauo.bat"; this contains commands to execute
  • <system folder>\<random characters>.dll - malware file installed as a service
  • <system folder>\<random characters>.sys - rootkit component


Its .dll component is registered as a service with a random name under the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\

Its rootkit component is not installed if the following security applications are found in the computer:

  • 360tray.exe
  • avp.exe
  • rstray.exe


Win32/Koutodoor also modifies the following registry entries to store its configuration data:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime
Sets value: "SID"
with data: "<current user's SID>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime
Sets value: "Safe"
With data: "<number>"



Payload

Downloads arbitrary files

Win32/Koutodoor checks the Internet Explorer home page by accessing the following registry entry:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Value: "Start page"

It checks if the home page contains any of the following strings:

  • about:blank
  • baidu.com
  • hao123.com


If these strings are found, Win32/Koutodoor downloads files from the following servers:

  • szbbs.info
  • ksbbs.info
  • csbbs.info
  • shiping8.info


If not, Win32/Koutodoor downloads files from the following servers instead:

  • 236236.info
  • 139139.info
  • 134135.info
  • 135136.info
  • 100du.info


It then executes its downloaded file.

Modifies the Internet Explorer start page

Win32/Koutodoor sets the start page to the following URL:

  • 1188.com
  • 1188.net
  • 1234dh.net
  • 189d.com
  • 2345p.com
  • 3013.cn
  • 365j.com
  • 63511.com
  • 7f7f.com
  • 88498.com
  • 91youa.com
  • 9260.com
  • 97199.com
  • baidu.com
  • btcha.com
  • cnzz.com
  • go2000.cn
  • go2000.com
  • hao9991.net
  • pp1234.cn
  • qq418.com
  • qq5.com
  • qu123.com
  • qu163.net
  • rr55.com
  • t7t7.net
  • tt265.net
  • vv33.com


Connects to remote servers

Win32/Koutodoor connects to the following servers to report that it has successfully infected the computer.

  • dwon1028Request.cn
  • pg1028Report.cn
  • ppzy.com


It also connects to the following websites using Internet Explorer:

  • www.9348.cn/<removed>?s
  • www.go2000.cn/index<removed>.htm




Analysis by Patrick Estavillo

Last update 07 April 2012

 

TOP

Malware :