Win32/Koutodoor is a malware family that is capable of changing the Internet Explorer home page and downloading arbitrary files from certain servers. It can also open certain webpages using Internet Explorer.
Installation
Win32/Koutodoor drops the following components:
-
%TEMP%\<random characters>.exe - for example, "monney.exe"; this contains the malware payload
-
%TEMP%\<random characters>.bat - for example, "xanauo.bat"; this contains commands to execute
-
<system folder>\<random characters>.dll - malware file installed as a service
-
<system folder>\<random characters>.sys - rootkit component
Its .dll component is registered as a service with a random name under the following registry key:
HKLM\SYSTEM\CurrentControlSet\Services\
Its rootkit component is not installed if the following security applications are found in the computer:
-
360tray.exe
-
avp.exe
-
rstray.exe
Win32/Koutodoor also modifies the following registry entries to store its configuration data:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime
Sets value: "SID"
with data: "<current user's SID>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime
Sets value: "Safe"
With data: "<number>"
Payload
Downloads arbitrary files
Win32/Koutodoor checks the Internet Explorer home page by accessing the following registry entry:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Value: "Start page"
It checks if the home page contains any of the following strings:
-
about:blank
-
baidu.com
-
hao123.com
If these strings are found, Win32/Koutodoor downloads files from the following servers:
-
szbbs.info
-
ksbbs.info
-
csbbs.info
-
shiping8.info
If not, Win32/Koutodoor downloads files from the following servers instead:
-
236236.info
-
139139.info
-
134135.info
-
135136.info
-
100du.info
It then executes its downloaded file.
Modifies the Internet Explorer start page
Win32/Koutodoor sets the start page to the following URL:
-
1188.com
-
1188.net
-
1234dh.net
-
189d.com
-
2345p.com
-
3013.cn
-
365j.com
-
63511.com
-
7f7f.com
-
88498.com
-
91youa.com
-
9260.com
-
97199.com
-
baidu.com
-
btcha.com
-
cnzz.com
-
go2000.cn
-
go2000.com
-
hao9991.net
-
pp1234.cn
-
qq418.com
-
qq5.com
-
qu123.com
-
qu163.net
-
rr55.com
-
t7t7.net
-
tt265.net
-
vv33.com
Connects to remote servers
Win32/Koutodoor connects to the following servers to report that it has successfully infected the computer.
-
dwon1028Request.cn
-
pg1028Report.cn
-
ppzy.com
It also connects to the following websites using Internet Explorer:
-
www.9348.cn/<removed>?s
-
www.go2000.cn/index<removed>.htm
Analysis by Patrick Estavillo