Backdoor:Win32/Kelihos.B is a trojan that distributes spam email messages that may contain web links to installers of the trojan. It may also communicate with remote computers to exchange information that it uses to execute various tasks such as sending spam emails, stealing sensitive information, or downloading and executing arbitrary files.
Installation
When run, the trojan creates a shared memory object, or "section object", named "GoogleImpl" to ensure only one instance of the trojan executes at a time. During installation of Backdoor:Win32/Kelihos.B, the registry is modified to run the trojan at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "SmartIndex"
With data: "<path and file name of Win32/Kelihos trojan>"
This malware creates the registry subkey "HKCU\Software\Google" and stores configuration data in the created subkey, as in the following examples:
In subkey: HKCU\Software\Google
Sets value: "AppID"
With data: "<variable data>"
Sets value: "ID"
With data: "0x00000050”
Sets value: "ID2"
With data: "<variable data>"
Sets value: "ID3"
With data: "<variable data>"
Payload
Communicates with a remote host and executes various functions
Backdoor:Win32/Kelihos.B exchanges encrypted messages with a remote server via HTTP protocol (TCP 80) to evade detection by security software or other filters. Data received from the remote server is interpreted by Win32/Kelihos and could contain instructions for the malware to perform any number of actions, including but not limited to the following:
- Update a list of possibly compromised computers that the malware communicates and exchanges information with
- Send spam email messages
- Capture sensitive information
- Send notifications or reports
- Download and execute arbitrary files
Sends Spam Emails
This trojan uses SMTP to send spam email messages that are constructed based on certain templates and other data received from a remote server. The subject, body and contents of the spam email vary and can be updated at any time. Backdoor:Win32/Kelihos.B may use more than one spam campaign running at the same time. The malware may harvest email addresses from the affected computer's local drive by searching within certain files. It avoids searching within certain file types, including the following:
-
.7z
-
.avi
-
.bmp
-
.class
-
.dll
-
.exe
-
.gif
-
.gz
-
.hxd
-
.hxh
-
.hxn
-
.hxw
-
.jar
-
.jpeg
-
.jpg
-
.mov
-
.mp3
-
.msi
-
.ocx
-
.ogg
-
.png
-
.rar
-
.vob
-
.wav
-
.wave
-
.wma
-
.wmv
-
.zip
The harvested email addresses are used as potential recipients for spam email messages distributed by Backdoor:Win32/Kelihos.B.
Captures sensitive information
Variants of Win32/Kelihos may use WinPcap to monitor network traffic and capture information such as login credentials from FTP, POP3 and SMTP traffic.
Analysis by Gilou Tenebro
