Home / malware Trojan.Kasidet
First posted on 23 July 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Kasidet.
Explanation :
When the Trojan is executed, it copies itself to the following location:
C:\Documents and Settings\[USER NAME]\Application Data\[COMPROMISED HOST NAME]\[MALWARE NAME].exe
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[MALWARE NAME].exe = C:\Documents and Settings\[USER NAME]\Application Data\[COMPROMISED HOST NAME]\[MALWARE NAME].exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[MALWARE NAME].exe = C:\Documents and Settings\[USER NAME]\Application Data\[COMPROMISED HOST NAME]\[MALWARE NAME].exe
The Trojan opens a back door, and connects to one of the following servers:
[http://]adika-win-iphone.comyr.com/god[REMOVED][http://]dlms1.ir/php5[REMOVED][http://]cosmeticsurgeryonline.in/lib[REMOVED][http://]dev1.appsichern.de[REMOVED][http://]cosmeticsurgeryonline.in/lib[REMOVED]
The Trojan may perform the following actions:
Check if it is running in a monitoring environmentContact the command-and-control server to inform it of the compromiseUse User-Agent: Neutrino/2.1 in an HTTP requestCollect information about the logged on user, the OS version, installed antivirus software, and network address translationModify host filesDownload and execute remote filesUpdate itselfPerform DDoS attacksLog keystrokesRecreate itself if the load point is removedSpread through USB drivesOpen the browser and point to a specific URLUpload files onto the command-and-control serverLast update 23 July 2014
