Home / malware Trojan.Klom.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.Klom.A.
Explanation :
When the driver is loaded (possible by other malware), it will drop a .dll file from it's resource section.
The dll file:
The dll file, will drop another file called imapi.exe or svchost.exe in Temp directory, that will be executed.
file imapi.exe
This is the real trojan that will compromise your system:
First it drops two files, named restore.sys and runtime.sys, and then will load them.
On next step, the trojan will drop wuauclt.exe and then will execute this file.
imapi.exe will self delete.
file restore.sys:
This file is a rootkit driver. It will manipulate some objects exported by ntoskrnl.exe and tcpip.sys, compromising your system.
This driver is also a filter driver, registering it's own routine with the IP Filter Driver, this way it may filter your internet traffic.
file runtime.sys:
This file is a rootkit driver. Will install it's own notifyroutine that will be triggered when a new process it's created, so the rootkit it's able to unlink EPROCESS structures from processes chain, allowing malware to run stealth. The rootkit will also patch tcpip.sys, overriding it's dispatch routine, compromising your system.
file wuauclt.exe:
This file is actually a trojan downloader. First it will decrypt it's data, then will create a mutex named 'wuryf43hfjwee' to make sure it runs in a single instance. Then it will attempt to open a connection to a web server and download a file that will be launched in execution. The connection will not work if you are behind a proxy server.
This trojan may download a custom made malware for your system, because will inform the server about your OS version:
The link looks like this: http://{ip-address}/s_13_0?m={digit}r=1&a=1&os=9400000005000000010000000280{number}
will try to connect to server until will succeed.
If the download succeeded, the file will be executed (parasiting a new instance of services.exe).
Next, the trojan will self delete.Last update 21 November 2011