Home / malwarePDF  

Trojan:Win32/Kilim.gen!C


First posted on 17 February 2015.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Kilim.gen!C.

Explanation :

Threat behavior

Installation

This malware copies and runs itself from the following locations:

  • %APPDATA% \chromenet.exe
  • %APPDATA% \Chromium_Launcher.exe
  • %APPDATA% \chromium.exe


It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Google Chromium"
With data: "%APPDATA%\Chromium.exe"

It also modifies the following registry entries to lower your PC security settings:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "EnableLUA"
With data: "0"

In subkey:HKLM\Software\Policies\Google\Update
Sets value: "UpdateDefault"
With data:"0"

Payload

Downloads other malware

This threat contacts three hardcoded servers to determine which one is online. It waits for a "server_ok" reply from the active server.

It checks which version of the Chrome web browser is installed on your PC. If you have a version other than 30.0.1573.2 the malware will download this version from its server. It then stops the chrome.exe process and replaces this file with the version of Chrome that the malware downloaded.

It then downloads and installs a Chrome €‹plug-in that uses one of the following names:

  • AdBlock Pro
  • Raw manager
  • Rawded Pro


We have seen the malware contact the following servers to downloading malware or malware updates:

  • alsancakgaming.com
  • facebookcheaplikes.net
  • filmver.com
  • filmverme.com
  • joojlee.com
  • likedealers.com
  • pagesphp.net
  • schedulesapps.com
  • sosyaljs.com
  • sosyaljss.com
  • sosyalpatron.com
  • tmobilevideo.mobi
  • togd.org
  • videotroppy.info
  • voltaj.org
  • windowsjava.com
  • www.5lf.net
  • www.filmver.com
  • www.helpcdn.com
  • www.jscmd.net
  • www.kaplanphp.com
  • www.kasarporno.com
  • www.kingcdn.net
  • www.kplncodes.info
  • www.neran.net
  • www.pagesphp.net
  • www.pornokan.com
  • www.rapfoto.com
  • www.sosyaljs.com
  • www.sosyaljss.com
  • www.sosyaljssss.com
  • www.sshup.com
  • www.wjetphp.com
  • www.yorcdn.com
  • xmobilevideo.mobi
  • yorcdn.com


The €‹plug-in is installed as public.js and is detected as Trojan:JS/Kilim.AA. The plugin ID will be randomly generated.

The malware modifies the preferences of the downloaded plug-in to grant the following permissions:

  • clipboardRead
  • clipboardWrite
  • contentSettings
  • cookies
  • history
  • idle
  • management
  • notifications
  • notifications
  • storage
  • tabs
  • unlimitedStorage
  • webNavigation
  • webRequest
  • webRequestBlocking
  • webRequestInternal


Stops update services

This threat can stop Google update services from running on your PC. It does this by deleting the following file:

  • %ProgramFiles% \Google\Update\GoogleUpdate.exe


It also deletes the following scheduled tasks:

  • GoogleUpdateTaskMachineCore
  • GoogleUpdateTaskMachineUA


Redirects your web browser

The malware can redirect your web browser from www.google.com to localhost by modifying the hosts file for any of the following update URLs:

  • clientsX.google.com
  • dl.google.com
  • tools.google.com


It can also block access to security related websites, and stop Windows and browser updates by redirecting traffic to localhost. We have seen it redirect traffic from the following websites:

2-viruses.com
aavar.org
adwarereport.com
agnitum.com
agnitum.de
agnitum.ru
allnod.com
allnod.info
amtso.org
analysis.avira.com
answers.microsoft.com
anti-malware.com
anti-malware-test.com
antirootkit.com
anti-spyware.com.au
antivir.de
antivir.ru
antivir-2012.com
antiviraldp.com
antivirus.about.com
anti-virus.by
antivirus.cai.com
antivirus.comodo.com
antivirus.startpagina.nl
antivirus-online.de
anti-virus-software-review.com
antivirusvergelijk.nl
anubis.iseclab.org
au.norton.com
auditmypc.com
authentium.com
av.eu
avast.com
avast.com.au
avast.ru
avastav.nl
av-comparatives.org
av-desk.com
avertlabs.com
avg.com
avg.com.au
avg.cz
avg-antivirus.com.au
avg-antivirus-plus-firewall.en.softonic.com
avgfrance.com
avira.com
avira.com.au
avirus.com.ua
avirus.ru
avp.ru
avsoft.ru
av-test.de
av-test.org
bestantivirusreviewed.com
bitdefender.co.uk
bitdefender.com
bitdefender.com.au
bitdefender.com.ua
bitdefender.de
bitdefender.nl bitdefender.ru
bobbear.co.uk
camas.comodo.com
ca-store.com.au
centralops.net
check-mark.com
checkvir.com
clamav.dyndns.org
clamav.net
clamsupport.sourcefire.com
clamwin.com
cleanallspyware.com
cleanuninstall.com
clients1.google.com
clients10.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients5.google.com
clients6.google.com
clients7.google.com
clients8.google.com
clients9.google.com
cnet.com
comodo.com
comodogroup.com
companies-house.gov.uk
cybercrime.ch
cybercrime.gov
cyprotect.com
data.kaspersky.ru
db.local.clamav.net
defenx.nl
dialognauka.ru
diamondcs.com.au
dl1.agnitum.com
dl2.agnitum.com
dnsstuff.com
domaintools.com
download.drweb.com
download.eset.com
download.nai.com
download.norman.no
download1.avast.com
download2.avast.com
download3.avast.com
download4.avast.com
download5.avast.com
download7.avast.com
downloads.kaspersky-labs.com
drweb.com
drweb.com.ua
drweb.imshop.de
drweb.net
drweb.ru
dr-web.ru
drweb-antivir.it
dw.com
edgesuite.net
emlx.net emsisoft.com
enisa.europa.eu
escanav.com
eset.co.uk
eset.com
eset.com.au
eset.eu
eset.sk
esetindia.com
esetnod32.ru
eu.shopmcafee.com
europe.f-secure.com
files.avast.com
files.f-prot.com
finjan.com
firewallguide.com
forum.avira.com
forum.bitdefender.com
f-prot.com
fraudaid.com
free.avg.com
free.grisoft.com
freeantivirushelp.com
free-av.com
free-av.de
freedrweb.com
free-firewall.org
freespaceinternetsec urity.com
fsa.gov.uk
f-secure.co.uk
f-secure.com
f-secure.de
f-secure.ru
ftp.bitdefender.com
ftp.ca.co
ftp.drweb.com
ftp.esafe.com
ftp.f-secure.com
ftp.f-secure.de
ftp.kaspersky.ru
ftp.kasperskylab.ru
ftp.kaspersky-labs.com
ftp.microworldsystems.com
ftp.nai.com
gdata.nl
gdatasoftware.co.uk
gietl.com
gmer.net
gratissoftware.nu
gratissoftwaresite.nl
grisoft.com
grisoft.cz
hackerguardian.com
harveynorman.com.au
hijackthis.de
home.mcafee.com
housecall.trendmicro.com
icsalabs.com
ika-rus.com
ikarus-software.at inline-software.de
interpol.int
iopus.com
iseclab.org
joebox.org
joojlee.com
kaspersky.co.uk
kaspersky.com
kaspersky.ru
kaspersky-antivirus.ru
kasperskyanz.com.au
kasperskyclub.com
kasperskyclub.ru
kavdumps.kaspersky.com
kerio.com
kingsoftsecurity.com
k-otik.com
krebsonsecurity.com
lavasoft.com
lavasoft.com.au
lavasoft.nu
lavasoftusa.com
lavasoftusa.de
liveupdate.symantec.com
lurker.clamav.net
majorgeeks.com
malekal.com
malwarebytes.org
mcafee.com
mcafee.free-trials.net
mcafeesecure.com
mcafeesecurity.com
mcafeestore.com
met.police.uk
microbe.com.au
misec.net
model-fx.com
moosoft.com
msecn.net
mwcollect.org
myaccount.bitdefender.com
myantispyware.com
my-etrust.com
nai.com
nbi.gov.ph
netfreighters.com.au
noadware.net
nod32.com
nod32.com.au
nod32.com.ua
nod32.it
nod32.nl
nod-32.ru
nod32.su
nod32eset.org
nordnet.com
norman.com
norton.com
nortonantiviruscenter.com
novirus.ru nsclean.com
nsslabs.com
offensivecomputing.net
onecare.live.com
onlinescan.avast.com
openantivirus.org
outpostfirewall.com
panda-antivirus.en.softonic.com
pandasecurity.com.au
pandasoftware.com
pccreg.antivirus.com
pchelpforum.com
pcpro.co.uk
pcthreat.com
pctools.com
pcworld.com
personalfirewall.comodo.com
pestpatrol.com
police.gov.hk
prevx.com
projecthoneypot.org
protectstar-testlab.org
ravantivirus.com
removevirus.org
ripe.net
robtex.com
rokop-security.de
safeweb.norton.com
sald.com
sandbox.norman.no
sandboxie.com
santivirus.com
scambusters.org
scanwith.com
schoonepc.nl
sectools.org
secure.nai.com
securesoft.com.au
securetec.com.au
securitoo.com
security.symantec.com
securityresponse.symantec.com
secuser.com
service.mcafee.com
service1.symantec.com
shop.ca.com
shop.mcafee.com
simplysup.com
siteadvisor.com
softonic.com
sophos.com
spamcop.net
spamhaus.org
spamtrackers.eu
spyblocker-software.com
spywareguide.com
spywarewarrior.com
staples.com
staysafeonline.info
sunbelt-software.com superantispyware.com
superantispyware.com.au
support.drweb.com
support.f-secure.com
support.f-secure.de
sygate.com
symantec.com
symantec-norton.com
tds.diamondcs.com.au
techsupportforum.com
threatexpert.com
threatfire.com
threatmetrix.com
tinysoftware.com
tools.google.com
treasury.gov
trendmicro.com
trendmicro.com.au
trendmicro.nl
trendmicro-europe.com
trojan-killer.ne
trustdefender.com
tucows.com
tuwien.ac.at
update.eset.com
update.microsoft.com
updates.sald.com
uploadmalware.com
us.mcafee.com
v4.windowsupdate.microsoft.com
v5.windowsupdate.microsoft.com
vba32.de
vergelijk.nl
vet.com.au
virscan.org
virusall.ru
virusblokada.ru
virusbtn.com
virus-help.net
virusinfo.info
viruslab.ru
viruslist.com
virusscan.jotti.org
virussen.upc.nl
virustotal.com
visualizesoftware.com
vupen.com
webroot.co.uk
webroot.com
webroot.nl
wepawet.iseclab.org
wilderssecurity.com
wildlist.org
windows.microsoft.com
windowsupdate.microsoft.com
www.dl.google.com
www.tools.google.com
zeustracker.abuse.ch
z-oleg.com
zonealarm.com
zonelabs.com
zonelog.co.uk



Analysis by Daniel Chipiristeanu

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:

    • %APPDATA%\chromenet.exe
    • %APPDATA%\Chromium_Launcher.exe
    • %APPDATA%\chromium.exe
  • You see these entries or keys in your registry:


    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Google Chromium"
    With data: "%APPDATA%\Chromium.exe"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "EnableLUA"
    With data: "0"

    In subkey:HKLM\Software\Policies\Google\Update
    Sets value: "UpdateDefault"
    With data:"0"

Last update 17 February 2015

 

TOP

Malware :

Family: