Home / malware TrojanDownloader:Win32/Dogkild.G
First posted on 28 May 2009.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Dogkild.G is also known as Also Known As:Trojan-GameThief.Win32.OnLineGames.bkzf (Kaspe, Win32/Agent.PBD (ESET), Trojan.Killav (Symantec).
Explanation :
TrojanDownloader:Win32/Dogkild.G is a trojan that downloads and executes arbitrary files from a remote host. It has been designed to deliberately compromise particular System Restore hardware and software.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following files:
<system folder>updater.exe
<system folder>killdll.dll (detected as Trojan:Win32/Dogrobot.G)
<system folder>driverspcidump.sys (detected as VirTool:WinNT/Dogrobot.gen!K)
%temp%~Frm.exe (detected as TrojanDownloader:Win32/Dogrobot.E)
<system folder>driversAsyncMac (detected as VirTool:WinNT/Dogkild.A)
The presence of the following registry modifications:
Adds value: "updater"
With data: "<system folder>updater.exe"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
TrojanDownloader:Win32/Dogkild.G is a trojan that downloads and executes arbitrary files from a remote host. It has been designed to deliberately compromise particular System Restore hardware and software.
Installation
TrojanDownloader:Win32/Dogkild.G copies itself to <system folder>updater.exe and modifies the registry to execute this copy at each Windows start:
Adds value: "updater"
With data: "<system folder>updater.exe"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. TrojanDownloader:Win32/Dogkild.G may consist of several components. It may drop the following files to the affected system:<system folder>killdll.dll (detected as Trojan:Win32/Dogrobot.G) <system folder>driverspcidump.sys (detected as VirTool:WinNT/Dogrobot.gen!K) %temp%~Frm.exe (detected as TrojanDownloader:Win32/Dogrobot.E) <system folder>driversAsyncMac (detected as VirTool:WinNT/Dogkild.A)
Payload
Downloads and executes arbitrary files
TrojanDownloader:Win32/Dogkild.G contacts remote hosts in order to download and execute files of the attacker's choice on the affected machine. Compromises system restore
Win32/Dogkild attempts to overwrite the system file userinit.exe with a low level disk operation. This action may bypass the protection offered by System Restore hardware and software as the integrity of restore settings may be lost. Modifies hosts file
Win32/Dogkild may replace the Windows Hosts file with a file that it downloads from a remote host. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). Terminates processes
Win32/Dogkild attempts to terminate the following processes - these processes are related to antivirus software: CCENTER.EXE
KAVStart.exe
avp.exe
ekrn.exe
egui.exe
KwatchSvc.exe Modifies system security settings
Win32/Dogkild also attempts to disable the following antivirus related services: RavTask
RsScanSrv
RavTray
RsRavMon
ekrn
KwatchSvc
kaccore
KISSvc
Analysis by Chun FengLast update 28 May 2009
