Home / malwarePDF  

TrojanDownloader:Win32/Kanav.G


First posted on 15 March 2013.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Kanav.G is also known as Trojan/Win32.OnlineGameHack (AhnLab), W32/Alyak.A (Norman), TR/Dldr.Kanav.G.2 (Avira), Gen:Variant.Graftor.73665 (BitDefender), Trojan.KillProc.22055 (Dr.Web), Win32/Alyak.F trojan (ESET), Trojan-Downloader.Win32.Kanav (Ikarus), Trojan.Alyak!4C53 (Rising AV), Troj/Kanav-D (Sophos).

Explanation :



Installation

TrojanDownloader:Win32/Kanav.G creates a copy of itself as:

%ProgramFiles%\Common Files\Apple\Mobile Device Support\apple.exe

It creates the following registry so that its copy automatically runs every time your computer starts:

In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\<random CLSID>
Sets value: "stubpath"
With data: "%ProgramFiles%\Common Files\Apple\Mobile Device Support\apple.exe"



Payload

Downloads other malware

TrojanDownloader:Win32/Kanav.G connects to certain websites, such as the following:

  • akxkalx1.blog.163.com
  • ilo.brenz.pl
  • lokias111234.blog.163.com


These pages are in the form of RSS feeds that might return an encrypted string such as "**C2CCC9AC0B0B03C96D6D01010168A20906A2AEADA8ADAA0668AEADAA6D0CAAA06DC4C3CFCFC3C1CFCB6DADC268A1A6A7CD#". When decrypted, it is a URL that TrojanDownloader:Win32/Kanav.G tries to download and run files from. For example, the string previously mentioned decrypts to "ezyeconomy.com/<blocked>/20110714/o5.gif", which is detected as Trojan:Win32/Qhost.

Deletes online game settings

TrojanDownloader:Win32/Kanav.G deletes the following registry subkey, if you have it in your computer:

HKCU\Software\Blizzard Entertainment\Battle.net\Identity

This registry subkey contains information about your Battle.net account, if you have one.

Gathers information

TrojanDownloader:Win32/Kanav.G may steal the following information about your computer, which it then sends to "exeinfo1.org":

  • Your CPU ID
  • What version of Windows you have on your computer
  • Your MAC address




Analysis by Marianne Mallen

Last update 15 March 2013

 

TOP

Malware :

Family: