Home / malwarePDF  

Worm:Win32/Kasidet.B


First posted on 03 November 2019.
Source: Microsoft

Aliases :

Worm:Win32/Kasidet.B is also known as W32/Trojan.FAVQ-2299, TR/Crypt.ZPACK.99635, TROJ_SPNR.0AJ414.

Explanation :

Installation

This threat can create a file on your PC using the name of any of the files it finds in the %SystemRoot% directory. For example explorer.exe, hh.exe, or isuninst.exe. It creates this file in the following location:

%APPDATA% , for example %APPDATA%mymachineexplorer.exe

It creates the following registry entry so that it runs each time you start your PC:

In subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: "%APPDATA%", for example "%APPDATA%mymachineexplorer.exe"
With data: "", for example "explorer.exe"

Spreads through...

It can create the following copies on removable drives, such as USB flash drives:

:WinSystemKB001.exe

It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Steals your sensitive information

This threat can collect the following information from your PC:

PC name user name operating system version product ID installed antivirus products local IP address

It also checks to see what Windows version you are running and if you have administrator privileges.

Contacts a remote host

The stolen information is sent to the malware's command and control (C&C) server. We have seen it connect to the following servers:

count.com count.net hotlog2.net redtd.com traficins.net

Once connected to its C&C server the worm can also receive the following commands from a malicious hacker:

Download and run files Record which keys you press Participate in DoS attacks  Update itself Delete files and registry entries Find files on your PC Modify the system Hosts file Visit a URL using a hidden desktop Set the interval for retrieving commands from C&C

Analysis by Jasper Manuel

Last update 03 November 2019

 

TOP

Malware :

Family: