Home / malware TrojanDownloader:Win32/Kanav.F
First posted on 02 February 2013.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Kanav.F is also known as Trojan/Win32.OnlineGameHack (AhnLab), W32/Alyak.A (Norman), Win32/Alyak.F trojan (ESET), Trojan.ADH (Symantec).
Explanation :
Installation
TrojanDownloader:Win32/Kanav.F creates a copy of itself as:
%ProgramFiles%\Common Files\Apple\Mobile Device Support\apple.exe
It creates the following registry so that its copy automatically runs every time your computer starts:
In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\<random CLSID>
Sets value: "stubpath"
With data: "%ProgramFiles%\Common Files\Apple\Mobile Device Support\apple.exe"
Payload
Downloads other malware
TrojanDownloader:Win32/Kanav.F queries certain websites, such as the following:
- blog.daum.net
- i.sohu.com
- hi.baidu.com
The website may return an encrypted string. When decrypted, the string tells the malware where to download and run other files. Some examples are:
- www.bignews.co.kr/<blocked>/b4.gif - detected as Trojan:Win32/Qhost.HB
- ezyeconomy.com/<blocked>/2011071/o5.gif - the file is currently not available
Deletes gaming settings
TrojanDownloader:Win32/Kanav.F deletes the following registry entry, if you have it in your computer:
HKCU\Software\Blizzard Entertainment\Battle.net\Identity
Steals information
TrojanDownloader:Win32/Kanav.F may steal the following information about your computer, which it sends to "exeinfo1.org":
- CPU ID
- Windows version
- MAC address
Analysis by Stefan Sellmer
Last update 02 February 2013
