Home / malwarePDF  

Backdoor:Win32/Kelihos.F


First posted on 30 April 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Kelihos.F is also known as BDS/Kelihos.F.50 (Avira), Trojan.Packed.2339 (Dr.Web), Trojan.Win32.FakeAv.lqyd (Kaspersky), Mal/FakeAV-QV (Sophos).

Explanation :



Backdoor:Win32/Kelihos.F is a trojan that allows unauthorized remote access and control, via an Internet connection, of an affected computer. The trojan is a component of the Win32/Kelihos malware family. The Win32/Kelihos malware family distributes spam email messages that may contain hyperlinks to installers of the malware. Win32/Kelihos may also communicate with remote computers to exchange information that it uses to execute various tasks, such as sending spam email messages, stealing sensitive information, or downloading and executing arbitrary files.



Installation

Backdoor:Win32/Kelihos.F may be installed by other malware such as TrojanDownloader:Win32/Waledac.C or other variants of Win32/Kelihos. The trojan may be present as the following file:

  • %windir%\temp\temp68.exe


The registry is modified to execute the installed trojan at each Windows startup, as in the following example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "IntelAgent"
With data: "%windir%\temp\temp68.exe"

This malware creates registry entries to stores its configuration data:

In subkey: HKCU\Software\Intel
Sets value: "DATAID"
With data: "<variable data>"

Sets value: "DATA"
With data: "0x00000050€

Sets value: "DATA2"
With data: "<variable data>"

Sets value: "DATA3"
With data: "<variable data>" (data contains IP addresses used by the malware to connect with)

When executed, Backdoor:Win32/Kelihos.F installs the following legitimate WinPcap binaries:

  • <system folder>\packet.dll (not malware)
  • <system folder>\wpcap.dll (not malware)
  • <system folder>\drivers\npf.sys (not malware)


Payload

Communicates with a remote host to perform other payloads

Backdoor:Win32/Kelihos.F exchanges encrypted messages with a remote computer via HTTP to retrieve other payload instructions. Depending on the message content, Kelihos may perform any of these actions:

  • Update a list of computers that the malware connects and exchanges information with
    (Note: It is possible that the computers in the list are compromised by the malware as well)
  • Send spam email messages
  • Steal sensitive information
  • Send notifications or reports
  • Download and execute an arbitrary file
Additional information

For more information about Win32/Kelihos, see the description elsewhere in the encyclopedia.



Analysis by Edgardo Diaz

Last update 30 April 2012

 

TOP

Malware :

Family: