KELIHOS
Waledac
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
KELIHOS is a botnet first seen in 2010. It is mainly used for spreading other malware through spammed email messages. Besides spamming, some variants exhibit Biitcoin mining and distributed denial of service (DDoS) attacks.
TECHNICAL DETAILS
Installation
This worm adds the following possibly malicious files or file components:
- {All User's Profile}\Application Data\boost_interprocess\{Date and Time of infection}\GoogleImpl
It creates the following folders:
- %System Root%\All Users\Application Data\boost_interprocess
- %System Root%\All Users\Application Data\boost_interprocess\{current date and time}
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SmartIndex = "{malware path and file name}"
Other System Modifications
This worm adds the following registry keys:
HKEY_CURRENT_USER\Software\Google
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Google
ID = "50"
HKEY_CURRENT_USER\Software\Google
ID2 = "{random values}"
HKEY_CURRENT_USER\Software\Google
ID3 = "{random values}"
HKEY_CURRENT_USER\Software\Google
AppID = "{random characters}"
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}:*:Enabled:{file name}"
Other Details
This worm connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.185.46/vYho/w5/pMSeoeJQF.htm