Home / malwarePDF  

Trojan:Win32/Kovter.B


First posted on 18 January 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Kovter.B.

Explanation :

Threat behavior

Installation

Trojan:Win32/Kovter.B has the file name %APPDATA%\kb\kb.exe, for example, %APPDATA%\KB9112247\KB9112247.exe.

It changes your registry so that it runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "kb"
With data: "%APPDATA%\kb\kb.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "kb"
With data: "%APPDATA%\kb\kb.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe, "%APPDATA%\kb\kb.exe""

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB9112247"
With data: "%APPDATA%\KB9112247\KB9112247.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "KB9112247"
With data: "%APPDATA%\KB9112247\KB9112247.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe, "%APPDATA%\KB9112247\KB9112247.exe""

It also creates registry entries as infection markers; infection markers are signs that this threat is installed in your PC:

In subkey: HKLM\SOFTWARE\<8-digit hexadecimal number based on the Kovter sample>
Sets value: "1"
With data: "<16-digit hexadecimal number based PC information>"

In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "3"
With data: "%APPDATA%\kb\kb.exe"

In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "4"
With data: "<10-digit number based on Kovter's installation time>"

For example:

In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "1"
With data: "9109FF4AEFCE1111"

In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "3"
With data: "%APPDATA%\KB9112247\KB9112247.exe"

In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "4"
With data: "1389705410"

It checks if it's running in a virtual machine or if any malware analysis tools or debuggers are running in your PC. If so, it stops itself.

Payload

Connects to a server

Trojan:Win32/Kovter.B connects to these servers to receive commands and configuration data from a hacker:

  • fz5qiter.biz
  • qx5xyngo.org


One of the commands it might receive is to download and run other malware to your PC.

It connects to a different server to send information about your PC:

  • cnc2-bt01.biz


It sends information about your PC, like passwords saved by your browsers and cookies.

Locks your screen

This threat might lock your screen, prevent you from accessing your desktop. It might display this message, or something similar:

"Please connect to the internet...."

Disables Task Manager and Registry Editor

This threat prevents you from running these tools:

  • Task Manager
  • Registry editor


Opens adult-oriented websites

This threat might automatically open a website containing adult content.



Analysis by Steven Zhou

Symptoms

The following could indicate that you have this threat on your PC:

  • You cannot access your desktop, and you see a message saying "Please connect to the internet...."
  • Your browser might automatically go to a website containing adult content
  • You can't run Task Manager or Registry Editor

Last update 18 January 2014

 

TOP

Malware :

Family: