Home / malware TrojanDropper:Win32/Koutodoor.B
First posted on 18 June 2009.
Source: SecurityHomeAliases :
TrojanDropper:Win32/Koutodoor.B is also known as Also Known As:Backdoor:Win32/Koutodoor.B (other), Trojan.Win32.StartPage.dse (Kaspersky), Generic.dx!db (McAfee), Trojan.StartPage.IXT (VirusBuster).
Explanation :
TrojanDropper:Win32/Koutodoor.B is a trojan that drops and installs components of Win32/Koutodoor on the local computer.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
TrojanDropper:Win32/Koutodoor.B is a trojan that drops and installs components of Win32/Koutodoor on the local computer.
Installation
This malware may be hosted on a Web site disguised as an image file with a file extension .JPG. Opening the file and allowing the malware to run will activate its malware installation payload.
Payload
Installs Other MalwareWhen run, this malware drops files having high-order bit characters or random file names as in the following examples: %APPDATA%MicrosoftInternet ExplorerQuick Launchæô¶¯ internet explorer ä¯ààæ÷.lnk%USERPROFILE%Favorites¶·ð·óîï·íø - 4000¿îµ¥»úóîï·ãâ·ñïâ.url
<system folder><random characters>.dll (i.e. 'lhxk.dll') - Backdoor:Win32/Koutodoor.B.dll!B<system folder><random characters>.bat (i.e. 'jr47vj.bat')<system folder>drivers<random characters>.sys (i.e. 'yfsa.sys') - Trojan:WinNT/Koutodoor.C Next, the malware installs the .DLL component using the Windows utility 'rundll32.exe' as in the following example: rundll32.exe <system folder>LhxK.dll,DllRegisterServer The .DLL component may connect to the following remote Web sites: dwon1028Request.cn
pg1028Report.cnAdditional InformationThe shortcuts added to the Quick Launch toolbar and Web browser favorites may link to the Web site '9348.cn'.
Analysis by Dan KurcLast update 18 June 2009
