TROJ_INJECT.KDH
Trojan-Dropper.Win32.Injector.icwk (Kaspersky)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
134,144 bytes
EXE
Yes
24 Apr 2013
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following file(s)/component(s):
- %System Root%\autorun.inf
- %User Temp%\AppLaunch\Service.exe
- %User Temp%\AppLaunch\App.ine
- %User Temp%\{random}.0.cs
- %User Temp%\{random}.tmp
- %User Temp%\{random}.dll
- %User Temp%\{random}.err
- %User Temp%\{random}.out
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %System Root%\rundll32.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
HOSTS File Modification
This Trojan modifies the system's HOSTS files to redirect users once the following Web site(s) are accessed:
- bancaribe.com.ve
- www.bancaribe.com.ve
- bancodevenezuela.com
- www.bancodevenezuela.com
- provincial.com
- www.provincial.com
- bodinternet.com
- www.bodinternet.com
It adds the following strings to the Windows HOSTS file:
- 74.221.212.116 bancaribe.com.ve
- 74.221.212.116 www.bancaribe.com.ve
- 74.221.212.116 bancodevenezuela.com
- 74.221.212.116 www.bancodevenezuela.com
- 74.221.212.116 provincial.com
- 74.221.212.116 www.provincial.com
- 74.221.212.116 bodinternet.com
- 74.221.212.116 www.bodinternet.com
NOTES:
It drops an AUTORUN.INF file in the system root folder to automatically execute the copy it drops there when a user accesses this drive.
The said .INF file contains the following strings:
[autorun]
shelexecute=rundll32.exe