BKDR_KULUOZ.FE

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to a website to send and receive information.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %Application Data%\{random}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

• {BLOCKED}.{BLOCKED}.211.194:8080/{generated value}
• {BLOCKED}.{BLOCKED}.103.54:8080/{generated value}
• {BLOCKED}.{BLOCKED}.20.226:8080/{generated value}
• {BLOCKED}.{BLOCKED}.156.180:8080/{generated value}
• {BLOCKED}.{BLOCKED}.224.202:8080/{generated value}
• {BLOCKED}.{BLOCKED}.218.180:8080/{generated value}
• {BLOCKED}.{BLOCKED}.218.181:8080/{generated value}
• {BLOCKED}.{BLOCKED}.112.99:8080/{generated value}
• {BLOCKED}.{BLOCKED}.136.150:8080/{generated value}
• {BLOCKED}.{BLOCKED}.31.53:8080/{generated value}

Download Routine

This backdoor connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.{BLOCKED}.136.150:8080//get/43d982be5107d1b8de698e16759b9956.exe - detected as TROJ_FAKEAV.FE