Home / malware Backdoor.Kivars
First posted on 08 July 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Kivars.
Explanation :
The Trojan uses the Microsoft Word icon to disguise itself as a Word document.
When the Trojan is executed, it creates the following files:
%System%\iprips.dll%System%\winbs2.dll%System%\klog.dat%Temp%\NO9907HFEXE.doc
Next, the Trojan creates a service with the following properties:
Display Name: RIP ListeningStartup Type: Automatic
It then creates the following registry subkey to register the above service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip
The Trojan also creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\"Type" = "120"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\"ErrorControl" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\Parameters\"ServiceDll" = "%System%\iprips.dll"
It then gathers the following information from the compromised computer:
Host nameIP addressUser nameMalware versionCurrent process IDVolume serial number of the hard diskRecent directory pathDesktop directory pathMy Documents directory pathDefault locale of the operating system Keyboard layout
The Trojan then sends the data to the following remote locations:
gsndomain.ddns.usmarkettaiwan.serveuser.com
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Simulate keyboard inputSimulate mouse clicksGet monitor settingsEnd processesChange window textShow and hide windowsSend messages between windowsDelete and rename filesExecute filesDelete files and foldersCreate foldersRead a fileDownload and upload filesTake a screenshotEnumerate filesList available drivesLog keystrokesRemove the Trojan from the compromised computerLast update 08 July 2014
