Home / malware Backdoor.Kihomchi
First posted on 16 April 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Kihomchi.
Explanation :
When the Trojan is executed, it creates the following files:
C:\MPOS.EXEC:\MPOS_[RANDOM NUMBER].exeC:\Windows\KBankStar_[YEAR OF CREATION]_[MONTH OF CREATION]_[DAY OF CREATION].log
The Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"METAPOS SERVICE MANAGER" = "C:\MPOS_[RANDOM NUMBER].EXE"
The Trojan opens a back door on the compromised computer, and connects to the following location on TCP port 1080:
211.43.222.199
The Trojan logs key strokes and stores them in the following location:
C:\Windows\KBankStar_[YEAR OF CREATION]_[MONTH OF CREATION]_[DAY OF CREATION].log
The Trojan may use the back door to perform the following actions:
Send stolen key strokes to the remote location
Download and execute a remote fileLast update 16 April 2014
