PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

KLOVBOT is a malware family of spyware capable of stealing information such as affected system’s host name and OS version. It then sends the stolen information to its command-and-control (C&C) server.

KLOVBOT variants can download a file from its server to modify the system’s hosts file which will redirect users to fake websites of banks and financial institutions once specific websites are accessed.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Collects system information

Installation

This spyware drops the following copies of itself into the affected system:

  • %System%\csrcs.exe
  • %Windows%\csrcs.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Player = "%System%\csrcs.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Microsofts = "%Windows%\csrcs.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UACDisableNotify = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

Information Theft

This spyware gathers the following data:

  • Host Name
  • OS Version

Other Details

This spyware connects to the following possibly malicious URL:

  • http://{BLOCKED}venezuela2.co.cc/priv8/bots.php?name={Host Name}&so={OS Version}&zila=&mail=
  • http://{BLOCKED}.{BLOCKED}.39.250:80/~exceedin/vOlk/priv8/bots.php/name={Host Name}&so={OS Version}&pasw=&file=
  • http://{BLOCKED}os.info/cl/priv8/bots.php?name={Host Name}&so={OS Version}&zila=&mail=
  • http://{BLOCKED}.{BLOCKED}.244.61/~mivergae/PESHERA/Online/priv8/bots.php?name={Host Name}&so={OS Version}&zila=&mail=