Home / malwarePDF  

Backdoor:Win32/Kasidet.C


First posted on 30 April 2015.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Kasidet.C.

Explanation :

Threat behavior

Installation

This threat can create a file on your PC using the name of any of the files it finds in the %SystemRoot% directory. For example explorer.exe, hh.exe, or isuninst.exe. It creates this file in the following location:

  • %APPDATA% \\, for example %APPDATA%\mymachine\explorer.exe


It creates the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "%APPDATA%\\", for example "%APPDATA%\mymachine\explorer.exe"
With data: "", for example "explorer.exe"

Payload

Steals your sensitive information

This threat can collect the following information from your PC:

  • PC name
  • user name
  • operating system version
  • product ID
  • installed antivirus products
  • local IP address


It also checks to see what Windows version you are running and if you have administrator privileges.

Contacts a remote host

The stolen information is sent to the malware's command and control (C&C) server. We have seen it connect to the following servers:

  • bestbright.ru
  • connect--server.ru
  • ferdalizermail.com
  • gasgo.biz
  • grazie.com
  • igooglecnet
  • iapple.biz
  • jabber.nas.ru
  • kardomoni.com
  • nutqauytva.com
  • paranormal--kino.ru
  • zifirinostart.com


Once connected to its C&C server the worm can also receive the following commands from a malicious hacker:

  • Download and run files
  • Record which keys you press
  • Participate in DoS attacks
  • Update itself
  • Delete files and registry entries
  • Find files on your PC
  • Modify the system Hosts file
  • Visit a URL using a hidden desktop
  • Set the interval for retrieving commands from C&C




Analysis by Jasper Manuel

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:

    %APPDATA%\\, for example %APPDATA%\mymachine\explorer.exe
  • You see these entries or keys in your registry

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "%APPDATA%\\", for example "%APPDATA%\mymachine\explorer.exe"
    With data: "", for example "explorer.exe"

Last update 30 April 2015

 

TOP

Malware :

Family: