Backdoor:Win32/Kelihos.F

Installation

This threat can be installed by other malware, such as TrojanDownloader:Win32/Waledac.C, or other variants of Win32/Kelihos. It can have the file name:

• %windir%\temp\temp68.exe

The trojan changes this registry entry so that it runs every time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "IntelAgent"
With data: "%windir%\temp\temp68.exe"

It also creates these registry entries to stores its configuration data:

In subkey: HKCU\Software\Intel
Sets value: "DATAID"
With data: "<variable data>"
Sets value: "DATA"
With data: "0x00000050"
Sets value: "DATA2"
With data: "<variable data>"
Sets value: "DATA3"
With data: "<variable data>"

where all the variable data contains IP addresses used by Kelihos to connect with.

When run, Kelihos installs the following legitimate WinPcap files:

• <system folder>\packet.dll (not malware)
• <system folder>\wpcap.dll (not malware)
• <system folder>\drivers\npf.sys (not malware)

Payload

Communicates with a hacker

Kelihos exchanges encrypted messages with a hacker in a remote PC via HTTP to retrieve other payload instructions. Depending on the message, Kelihos can do any of these:

• Update a list of PCs that the malware connects and exchanges information with (it is possible that the PCs in the list are compromised by the malware too)
• Send spam emails
• Steal sensitive information
• Send notifications or reports
• Download and run files

Analysis by Edgardo Diaz