ALIASES:

Waledac

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via email

KELIHOS is a botnet first seen in 2010. It is mainly used for spreading other malware through spammed email messages. Besides spamming, some variants exhibit Biitcoin mining and distributed denial of service (DDoS) attacks.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Compromises system security, Connects to URLs/IPs

Installation

This worm adds the following possibly malicious files or file components:

  • {All User's Profile}\Application Data\boost_interprocess\{Date and Time of infection}\GoogleImpl

It creates the following folders:

  • %System Root%\All Users\Application Data\boost_interprocess
  • %System Root%\All Users\Application Data\boost_interprocess\{current date and time}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SmartIndex = "{malware path and file name}"

Other System Modifications

This worm adds the following registry keys:

HKEY_CURRENT_USER\Software\Google

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Google
ID = "50"

HKEY_CURRENT_USER\Software\Google
ID2 = "{random values}"

HKEY_CURRENT_USER\Software\Google
ID3 = "{random values}"

HKEY_CURRENT_USER\Software\Google
AppID = "{random characters}"

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}:*:Enabled:{file name}"

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.185.46/vYho/w5/pMSeoeJQF.htm