Home / malwarePDF  

PWS:Win32/Kegotip.A


First posted on 16 March 2012.
Source: Microsoft

Aliases :

PWS:Win32/Kegotip.A is also known as Mal/ZboCheMan-A (Sophos).

Explanation :

PWS:Win32/Kegotip.A is a password-stealing trojan that steals FTP host and user account informations for certain programs.


Top

PWS:Win32/Kegotip.A is a password-stealing trojan that steals FTP host and user account informations for certain programs.



Installation

PWS:Win32/Kegotip.A may create the following files:

  • %Temp%\mswqc.tmp
  • %Temp%\mswqd.tmp


It may create the following mutexes:

MAPI-HP*4D4170492C1CA9A4
MAPI-HP*80035B032C1CA9A4
MAPI-HP*80036C782C1CA9A4
MAPI-HP*80037B0E2C1CA9A4
MAPI-HP*8003A1B12C1CA9A4
MAPI-HP*8003B8942C1CA9A4
MAPI-HP*8003C2192C1CA9A4
MAPI-HP*800420D32C1CA9A4
MAPI-HP*800454182C1CA9A4
MAPI-HP*800458DB2C1CA9A4
MAPI-HP*80049F5A2C1CA9A4
MAPI-HP*8005389C2C1CA9A4
MAPI-HP+4D4170492C1CA9A4
MAPI-HP+80035B032C1CA9A4
MAPI-HP+80036C782C1CA9A4
MAPI-HP+80037B0E2C1CA9A4
MAPI-HP+8003A1B12C1CA9A4
MAPI-HP+8003B8942C1CA9A4
MAPI-HP+8003C2192C1CA9A4
MAPI-HP+800420D32C1CA9A4
MAPI-HP+800454182C1CA9A4
MAPI-HP+800458DB2C1CA9A4
MAPI-HP+80049F5A2C1CA9A4
MAPI-HP+8005389C2C1CA9A4
SafeHeapWin32Object
SafeHeapWin32Object026
SafeHeapWin32Object027



Payload

Modifies firewall settings

PWS:Win32/Kegotip.A may create the following registry entry to bypass the Windows firewall:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
Sets value: "<malware path>"
With data: "<malware file>:*:enabled:microsoft office"

Listens in to certain ports

PWS:Win32/Kegotip.A may open and listen on the following ports:

  • IP port 0
  • TCP port 1080


It may attempt to connect to the following IP addresses or domains:

  • 91.223.89.71 via TCP ports 20050, 20051, and 20053
  • centeralpha.info via TCP port 20050
  • delp.in via TCP port 20050
  • drevozhizni.in via TCP port 20050
  • ext-delaville.org via TCP port 20050
  • fourtis.ru via TCP port 20050
  • klindo.com via TCP port 20050
  • millko.in via TCP port 20050
  • orldovan.ru via TCP port 20050
  • romokaska.ru via TCP ports 20050 and 20053
  • satersen.ru via TCP port 20050
  • showmyip.com via TCP port 80
  • uptownking.biz via TCP port 20050


It may also attempt to steal FTP host and user account informations for the following programs:

  • CuteFTP
  • FAR
  • FileZilla
  • Internet Explorer
  • SmartFTP
  • Total Commander
  • TurboFTP




Analysis by Hyun Choi

Last update 16 March 2012

 

TOP

Malware :

Family: