Home / malwarePDF  

Trojan:Win32/Korlia.C


First posted on 06 February 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Korlia.C.

Explanation :



Trojan:Win32/Korlia.C is a backdoor trojan which allows a remote attacker to perform selected actions on your computer. These include downloading and running arbitrary files, stopping processes, deleting files, and uploading files and information about your computer to a remote server.



Installation

The malware may be installed by other malware, but does not perform any installation actions of its own.

At the time of writing, Trojan:Win32/Korlia.C files have been observed as 13,312 bytes in size, using file names such as the following:

  • conime.exe
  • rundll.exe
  • svchost.exe


Note that these file names may be the same as those used by clean computer processes.



Payload

Contacts remote hosts

The backdoor connects on port 8080 to a local proxy, which in turn creates a connection on port 443 to a remote server. Examples of these remote servers include the following:

  • 5.jptvd7.com
  • mycount.MrsLove.com
  • nssmcrc.IsASecret.com
  • nssmcrc2013.myfw.us


The backdoor's controller may issue a number of possible commands, which the malware will execute, then communicate the results to the remote server. These include the following:

  • Download a file to the local system
  • Run an arbitrary file (which may include files previously downloaded)
  • List available drives on the computer and their types
  • List folder contents
  • Delete files
  • Create a remote command shell on the computer, which allows arbitrary commands to be run
  • List processes running on the local system
  • Stop specified processes
  • Send data to another host
  • Listen for data from another host
  • Upload files (or portions of files) from the local system to the remote server
  • Stops itself from running


Trojan:Win32/Korlia.C creates a file at %windir%\tasks\err.ini which it may use to temporarily log the encrypted commands it receives.

Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, 7, and 8 it is "C:\Windows".



Analysis by David Wood

Last update 06 February 2013

 

TOP

Malware :

Family: