Home / malwarePDF  

Trojan:Win32/Kovter.C


First posted on 03 February 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Kovter.C.

Explanation :

Threat behavior

Installation

Trojan:Win32/Kovter.C installs a copy of itself as %LOCALAPPDATA%\KB\KB.exe, for example, %LOCALAPPDATA%\KB3935267\KB3935267.exe.

It adds these entries to your registry so that its copy automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB"
With data: "%LOCALAPPDATA%\KB\KB.exe"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB"
With data: "%LOCALAPPDATA%\kb\KB.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "KB"
With data: "%LOCALAPPDATA%\kb\KB.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "KB"
With data: "%LOCALAPPDATA%\kb\KB.exe"

Trojan:Win32/Kovter.C might also add the following registry entry to store some of its configuration data or settings, like its path name, unique ID, and user agent string.

In subkey: HKLM\SOFTWARE\<8-digit hexadecimal number>, for example, AFB117A7
Sets value: "1"
With data: "%LOCALAPPDATA%\KB\KB.exe"
Sets value: "2"
With data: ""
Sets value: "3"
With data: "<16-digit hexadecimal number>", for example, "222EA48E6EAA93B1"
Sets value: "4"
With data: "<10-digit hexadecimal number>" for example, "1390831483"
Sets value: "5"
With data: "", for example, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"

Note that the hexadecimal numbers are taken from information about your PC, like the Windows product key and installation date taken from the registry.

This threat might not run properly if any of these processes (which are related to security tools) are running in your PC:

  • a2service.exe
  • avcom.exe
  • avp.exe
  • BullGuard.exe
  • cmdagent.exe
  • dwengine.exe
  • jpf.exe
  • oaui.exe
  • op_mon.exe


It might also not run properly if it detects the presence of certain virtualization and analysis tools, like the following:

  • JoeBox
  • qEmu
  • Sandboxie
  • Sunbelt
  • Virtual Box
  • VirtualPC
  • Vmware
  • Wine
  • Wireshark


It injects its code into svchost.exe and the default HTML file viewer (which is usually a browser - Internet Explorer or Firefox, for example).

Payload

Changes Internet Explorer settings

This threat changes the following Internet Explorer settings:

Disables the home page warning message when Internet Explorer is opened for the first time:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "dword:00000001"

Sets tabs and frames to run within the same process in Internet Explorer:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "TabProcGrowth"
With data: "dword:00000000"

Lowers Internet zone security settings:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1206"
With data: "dword:00000000"
Sets value: "1400"
With data: "dword:00000000"
Sets value: "1402"
With data: "dword:00000000"
Sets value: "1407"
With data: "dword:00000000"
Sets value: "1601"
With data: "dword:00000000"
Sets value: "1809"
With data: "dword:00000003"
Sets value: "2300"
With data: "dword:00000000"
Sets value: "1400"
With data: "dword:00000000"
Sets value: "2300"
With data: "dword:00000000"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1206"
With data: "dword:00000000"
Sets value: "1400"
With data: "dword:00000000"
Sets value: "1402"
With data: "dword:00000000"
Sets value: "1407"
With data: "dword:00000000"
Sets value: "1601"
With data: "dword:00000000"
Sets value: "1801"
With data: "dword:00000003"
Sets value: "1809"
With data: "dword:00000003"
Sets value: "2300"
With data: "dword:00000000"
Sets value: "2500"
With data: "dword:00000003"

Gives a hacker access and control of your PC

Trojan:Win32/Kovter.C connects to remote command and control servers (C&C) to receive commands and other data from the hacker that controls these servers. Some of the C&C servers it's known to connect to are:

  • cnc2-bt02.biz
  • cnc3-dm1.biz
  • energizer2012.org
  • wista-opencup.org
  • turboman-open.org


Trojan:Win32/Kovter.C sends data about your PC, like what version of Windows you're running and what timezone your PC is in, back to this server. It can also receive instructions from the server on what to do to your PC. These instructions might include:

  • Download and run other malware on your PC, especially ransomware
  • Send information stored in PC, like passwords saved by your browsers and cookies
  • Visit websites without your consent and click on links in these sites as a form of click-fraud




Analysis by Rex Plantado

Symptoms

The following could indicate that you have this threat on your PC:

  • You have this file:
    • %LOCALAPPDATA% \KB\KB.exe, for example, %LOCALAPPDATA%\KB3935267\KB3935267.exe
  • You see these entries or keys in your registry:


In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB"
With data: "%LOCALAPPDATA%\KB\KB.exe"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB"
With data: "%LOCALAPPDATA%\kb\KB.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "KB"
With data: "%LOCALAPPDATA%\kb\KB.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "KB"
With data: "%LOCALAPPDATA%\kb\KB.exe"

Last update 03 February 2014

 

TOP

Malware :

Family: