TROJ_KOVTER.TGJ
Trojan:Win32/Kovter.C (Microsoft), a variant of Win32/Kryptik.CNOB (ESET)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
269,360 bytes
EXE
No
09 Feb 2015
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other System Modifications
This Trojan adds the following registry keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_AJAX_CONNECTIONEVENTS
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
It adds the following registry entries:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_AJAX_CONNECTIONEVENTS
svchost.exe = "1"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
explorer.exe = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
svchost.exe = "0"
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}e.pw/form2.php