Home / malwarePDF  

Trojan:AutoIt/Kilim.A


First posted on 04 June 2013.
Source: Microsoft

Aliases :

Trojan:AutoIt/Kilim.A is also known as Trojan.Generic.9124644 (BitDefender), Trojan.MulDrop4.38011 (Dr.Web), Win32/AHK.V trojan (ESET), W32/Agent.HNYI!tr (other), Trojan-Dropper.Win32.Agent.hnyi (Kaspersky).

Explanation :



Installation

Trojan:AutoIt/Kilim.A trojan creates and copies itself into the following folders:

  • %windir% \AdobeFlash2\
  • %windir% \AdobeFlash\


If these directories already exist the trojan deletes any files and replaces them with a copy of itself.

We have seen this trojan use the filename windows.exe, using the Adobe Flash player icon, but this may vary.

Trojan:AutoIt/Kilim.A disables User Account Control (UAC) by creating the following registry key:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0x00000000"

It modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AdobeFlashUpdateManager"
With data: %windir%\AdobeFlash\<threat file name>, for example %windir%\AdobeFlash\windows.exe.

Payload

Posts malicious links on social media

Trojan:AutoIt/Kilim.A connects to a remote server to download configuration files that install Chrome browser extensions:

  • www.e-begen.com/<removed>.txt
  • www.trkral.com/<removed>.txt


It closes the Chrome browser and installs the two malicious extensions using following configuration files and registry entries:

  • %windir%\adobeflash\update.xml
  • %windir%\adobeflash2\update.xml


In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: €œ1€
With Data: "%windir%\AdobeFlash\update.xml"

In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: €œ2€
With Data: "%windir%\adobeflash2\update.xml"

The trojan can now gain access to your Facebook, Twitter and YouTube accounts next time you log in using the Chrome browser. It may post messages, like pages or follow profiles on Twitter.

An example of the messages it may post includes:

  • "Selam bir site buldum günlük 250 takipçi veriyor. Sen de denemelisin:)" (I found a site that gives a daily 250 followers. You should too:) "


The Chrome browser extensions used by this trojan are detected as Trojan:JS/Kilim.A.



Analysis by Karthik Selvaraj.

Last update 04 June 2013

 

TOP

Malware :

Family: