Home / malwarePDF  

Worm:Win32/Kalockan.A


First posted on 27 August 2016.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Kalockan.A.

Explanation :

Installation


We observed the threat compressed ("zipped") as an attachment to spam mail, using the following file names for the attachment:

  • _06_2016 pdf_ppt.ppt.exe
  • img_0727_09583302210_foto.jpeg.exe
  • img-doc7690587498310980911.pdf.exe
  • img-doc7690587498310980911.pdf.exe
  • operation list-June 2016 (draft).docx.exe
  • S60904399302.005.0021.2016.06.28.xlsx.exe


The threat runs when the email recipient opens the attachment.

The threat also checks the BIOS, Windows installation date, video card details, and if certain security tools are running on the PC (Ahnlab and SecureBrain PhishWall) before it decides to run.

The threat drops copies of itself with a random file name to the following folder:
  • %APPDATA%\roaming\random.exe


It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "VALUE"
With data: "", for example %APPDATA%\roaming\

The threat also drops a copy of itself, called mixerqc.exe, and sets it to run by creating a shortcut file (.lnk extension) in %APPDATA%.

The threat injects itself into explorer.exe so it can try to run without your knowledge.

Payload


Opens a backdoor

This threat acts as a backdoor on your PC. The threat can allow a remote attacker to take control of your PC, and can perform the following actions:
  • Report infection information, such as the operating system version and the language locale
  • Intercept HTTP traffic from web browsers, including Internet Explorer, Firefox, and Chrome
  • Run a shell command
  • Download and run files
  • Run a HTTP or SOCKS proxy server (the port is specified by the remote attacker)
  • Update itself


Connects to a remote server

We have seen the threat try to connect to the following remote server:
  • 443sinpbczbq.net


Additional information

The following SHA1s were used in this analysis:
  • 76ec930e0ea30f0609c10272b45e25844a92c3aa
  • 8ec300dfc40d1158c558d30ea345555abf0ecaec
  • f9845be3bd4e86fcd6891223c9c87cd45a515f6c
  • b77c663ed640d4e6c74bd7d5152b327a32d4472f
  • 41fe3ff4184648929bcad073baa762cded209b6c
  • e20a89f6bc5419b6ac372c86412cbb8d0217b873
  • 16d347f5b35585ab9109795335f0ac1d148e1a79
  • 2ffd5c469862a7b0d132969569520cb46f8e96c3
  • 0ee9c08a71e75a802e85c233d15056e5932c3ed1
  • 9e9853ddd28596f6ec9afa2f918528d5cbb98af7




Analysis by Mihai Calota

Last update 27 August 2016

 

TOP

Malware :

Family: