Home / malware PWS:Win32/Kegotip.A
First posted on 16 March 2012.
Source: MicrosoftAliases :
PWS:Win32/Kegotip.A is also known as Mal/ZboCheMan-A (Sophos).
Explanation :
PWS:Win32/Kegotip.A is a password-stealing trojan that steals FTP host and user account informations for certain programs.
Top
PWS:Win32/Kegotip.A is a password-stealing trojan that steals FTP host and user account informations for certain programs.
Installation
PWS:Win32/Kegotip.A may create the following files:
- %Temp%\mswqc.tmp
- %Temp%\mswqd.tmp
It may create the following mutexes:
MAPI-HP*4D4170492C1CA9A4
MAPI-HP*80035B032C1CA9A4
MAPI-HP*80036C782C1CA9A4
MAPI-HP*80037B0E2C1CA9A4
MAPI-HP*8003A1B12C1CA9A4
MAPI-HP*8003B8942C1CA9A4
MAPI-HP*8003C2192C1CA9A4
MAPI-HP*800420D32C1CA9A4
MAPI-HP*800454182C1CA9A4
MAPI-HP*800458DB2C1CA9A4
MAPI-HP*80049F5A2C1CA9A4
MAPI-HP*8005389C2C1CA9A4
MAPI-HP+4D4170492C1CA9A4
MAPI-HP+80035B032C1CA9A4
MAPI-HP+80036C782C1CA9A4
MAPI-HP+80037B0E2C1CA9A4
MAPI-HP+8003A1B12C1CA9A4
MAPI-HP+8003B8942C1CA9A4
MAPI-HP+8003C2192C1CA9A4
MAPI-HP+800420D32C1CA9A4
MAPI-HP+800454182C1CA9A4
MAPI-HP+800458DB2C1CA9A4
MAPI-HP+80049F5A2C1CA9A4
MAPI-HP+8005389C2C1CA9A4
SafeHeapWin32Object
SafeHeapWin32Object026
SafeHeapWin32Object027
Payload
Modifies firewall settings
PWS:Win32/Kegotip.A may create the following registry entry to bypass the Windows firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
Sets value: "<malware path>"
With data: "<malware file>:*:enabled:microsoft office"
Listens in to certain ports
PWS:Win32/Kegotip.A may open and listen on the following ports:
- IP port 0
- TCP port 1080
It may attempt to connect to the following IP addresses or domains:
- 91.223.89.71 via TCP ports 20050, 20051, and 20053
- centeralpha.info via TCP port 20050
- delp.in via TCP port 20050
- drevozhizni.in via TCP port 20050
- ext-delaville.org via TCP port 20050
- fourtis.ru via TCP port 20050
- klindo.com via TCP port 20050
- millko.in via TCP port 20050
- orldovan.ru via TCP port 20050
- romokaska.ru via TCP ports 20050 and 20053
- satersen.ru via TCP port 20050
- showmyip.com via TCP port 80
- uptownking.biz via TCP port 20050
It may also attempt to steal FTP host and user account informations for the following programs:
- CuteFTP
- FAR
- FileZilla
- Internet Explorer
- SmartFTP
- Total Commander
- TurboFTP
Analysis by Hyun Choi
Last update 16 March 2012