Home / malwarePDF  

TrojanDownloader:Win32/Kepma.B


First posted on 01 March 2013.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Kepma.B is also known as W32/Kraddare.UT (Norman), Adware/Kraddare.BP (Avira), Win32/Adware.Kraddare.GQ application (ESET).

Explanation :



TrojanDownloader:Win32/Kepma.B is a trojan that downloads potentially unwanted software.



Installation

TrojanDownloader:Win32/Kepma.B may have the file name "barocn.exe". It may be installed by a file named "Setup_brcr_h.exe". The installer is also detected as TrojanDownloader:Win32/Kepma.B.

When run, the installer creates the following folders:

  • %ProgramFiles%\barocn
  • %USERPROFILE%\Favorites\Links


Within which it creates the following files:

  • %ProgramFiles%\barocn\barocn.exe - detected as TrojanDownloader:Win32/Kepma.B
  • %ProgramFiles%\barocn\barosvc.exe
  • %ProgramFiles%\barocn\uninst.exe4
  • %USERPROFILE%\Favorites\Links\11¹Ã¸°¡.url - points to http://11st.baroicon.com
  • %USERPROFILE%\Favorites\Links\¿Ã¼Ã‡.url - points to http://auction.baroicon.com
  • %USERPROFILE%\Favorites\Links\Áö¸¶Ã„Ï.url - points to http://gmarket.baroicon.com


It may also create the following files:

  • %windir%\1.ico
  • %windir%\2.ico
  • %windir%\3.ico


which are the icon files used in the dropped URL files, respectively.

TrojanDownloader:Win32/Kepma.B installs itself as a service with the name "barocn svc", by creating the following registry entries:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\barocn
Sets value: "Description"
With data: "barocn launcher"
Sets value: "DisplayName"
With data: "barocn svc"
Sets value: "ErrorControl"
With data: "0x00000001"
Sets value: "ImagePath"
With data: "%ProgramFiles%\barocn\barosvc.exe"
Sets value: "ObjectName"
With data: "LocalSystem"
Sets value: "Start"
With data: "0x00000002"
Sets value: "Type"
With data: "0x00000010"

In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BAROCN\0000
Sets value: "Class"
With data: "LegacyDriver"
Sets value: "ClassGUID"
With data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
Sets value: "ConfigFlags"
With data: "0x00000000"
Sets value: "DeviceDesc"
With data: "barocn svc"
Sets value: "Legacy"
With data: "0x00000001"
Sets value: "Service"
With data: "barocn"

It also creates an uninstall entry for itself in the Uninstall or change a program list with the name "Windows barocon" by creating the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows barocon
Sets value: "DisplayIcon"
With data: "%ProgramFiles%\barocn\barocn.exe"
Sets value: "DisplayName"
With data: "Windows barocon"
Sets value: "DisplayVersion"
With data: ""
Sets value: "Publisher"
With data: "Baro, Inc."
Sets value: "UninstallString"
With data: "%ProgramFiles%\barocn\uninst.exe"

It also creates the following registry key as part of its installation routine:

HKCU\Software\barocn



Payload

Downloads malware or potentially unwanted software

TrojanDownloader:Win32/Kepma.B downloads files from the website "cnt.baroicon.com". In the wild, we have observed this trojan downloading files detected as the following:

  • Rogue:Win32/Onescan
  • Adware:Win32/Kraddare


It may also download the following file from the server:

%ProgramFiles%\barocn\cns.dat

Sends your information to a server

TrojanDownloader:Win32/Kepma.B connects to the same server to report its activities in your computer, for example, whether it was installed or uninstalled. It also sends your MAC address to the server.

It also checks if any of the following processes are running. These are programs used to manage your computer:

  • gamedcup.exe
  • gchartc.exe
  • gcrawl.exe
  • getotb.exe
  • gtiexp.exe
  • gtlexp.exe
  • pcwc.exe
  • pcwc_ag.exe
  • picatoolsmgr.exe
  • ptclient.exe
  • qaagent.exe
  • wmcounter.exe




Analysis by Patrik Vicol

Last update 01 March 2013

 

TOP

Malware :

Family: