Home / malwarePDF  

MSIL/Kivat


First posted on 19 September 2014.
Source: Microsoft

Aliases :

There are no other names known for MSIL/Kivat.

Explanation :

Threat behavior

Installation

MSIL/Kivat can be installed on your PC via a malicious attachment to a spam email, for example:

  • Video-Play.exe
  • watchvideo.mp4.exe
  • winupdater.exe


Variants in this family can stop the chrome.exe process from running on your PC.

They then search the %APPDATA%\Google\Chrome directory for Chrome browser extensions. If found, they install a malicious extension by creating a new folder, for example:

  • %APPDATA% \Google\Chrome\..\Extensions\iacffndadciecdcopofkkegcpcmnjpph


They download plugin data from a remote host to this folder. Some of the hosts we have seen contacted include:

  • clckq../macod/bg.js
  • clckq. ./macod/manifest.json
  • clckq../macod/Preferences.txt
  • executive...com/svn/branches/jsas.txt
  • executive. ..com/svn/branches/manifest.json
  • executive. ..com/svn/branches/Preferences.txt
  • executive. .com/svn/branches/bgas.txt
  • macod-..com/eee/bgqm.txt
  • macod-./eee/manifest.json
  • macod-.com/eee/jsxmq.txt
  • macod-.com/eee/Preferences.txt


The malicious extension can be installed with the following file names:

  • bg.js
  • bgas.txt
  • bgqm.txt
  • jsas.txt
  • jsxmq.txt
  • manifest.json
  • Preferences


Once downloaded the malicious extension copies itself to C:\WINDOWSUPDATA\winupdater.exe.

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winupdater.exe
Sets value: "winupdater.exe"
With data: "C:\WINDOWSUPDATE\winupdater.exe"

Once installed, MSIL/Kivat variants run the Chrome browser to enable the new malicious extension.

Payload

Downloads browser extensions

Variants in this family can download and install Chrome browser extensions without your consent. These extensions can gain access to your social networking sites such as:

  • Ask.fm
  • Facebook.com
  • Twitter.com
  • YouTube.com
  • Vk.com


They can post use your social media profile without your consent to post messages, like pages or follow profiles.

Blocks some websites

MSIL/Kivat can stop you from accessing some security related websites. We have seen the malicious extension blocking the following sites:

  • akamai.net
  • avast.com
  • avg.com
  • dl.dropboxusercontent.com/s
  • docs.google.com
  • drive.google.com
  • eset.com
  • facebook.com/ajax/follow/unfollow_profile.php
  • facebook.com/ajax/webstorage/process_keys.php
  • facebook.com/checkpoint/malware/cr_ext_config
  • facebook.com/checkpoint/malware/cr_ext_log
  • facebook.com/csp.php
  • facebook.com/xti.php
  • fei-coder.com
  • fiddle.jshell.net
  • googlecode.com
  • jotti.org
  • jscmd.net
  • kaspersky.com
  • kaspersky.com.tr
  • kingusd.com
  • mcafee.com
  • microsoft.com
  • nod32.com
  • nod32.com.tr
  • orjinalmarket.net
  • rackcdn.com
  • sansurcrx.com
  • sosyalmedyakusu.com
  • vatansana.com
  • video-izleyin.tk
  • virusscan.jotti.org
  • virustotal.com
  • vuupc.com
  • wjetphp.com


Stops Chrome processes

MSIL/Kivat monitors Chrome and stops the Task Manager (G\xF6rev Y\xF6neticisi) from running.



Analysis by Steven Zhou

Symptoms

The following could indicate that you have this threat on your PC:

  • You can't visit some security-related websites.

Last update 19 September 2014

 

TOP

Malware :