Follow:

You have been re-routed to the Backdoor:Win32/Kelihos.B write up because Backdoor%3aWin32%2fKelihos.B has been renamed to Backdoor:Win32/Kelihos.B
 

Backdoor:Win32/Kelihos.B


Backdoor:Win32/Kelihos.B is a trojan that distributes spam email messages that may contain web links to installers of the trojan. It may also communicate with remote computers to exchange information that it uses to execute various tasks such as sending spam emails, stealing sensitive information, or downloading and executing arbitrary files.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:Win32/Kelihos.B is a trojan that distributes spam email messages that may contain web links to installers of the trojan. It may also communicate with remote computers to exchange information that it uses to execute various tasks such as sending spam emails, stealing sensitive information, or downloading and executing arbitrary files.

Installation

When run, the trojan creates a shared memory object, or "section object", named "GoogleImpl" to ensure only one instance of the trojan executes at a time. During installation of Backdoor:Win32/Kelihos.B, the registry is modified to run the trojan at each Windows start.

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "SmartIndex"
With data: "<path and file name of Win32/Kelihos trojan>

This malware creates the registry subkey "HKCU\Software\Google" and stores configuration data in the created subkey, as in the following examples:

In subkey: HKCU\Software\Google
Sets value: "AppID"
With data: "<variable data>
Sets value: "ID"
With data: "0x00000050
Sets value: "ID2"
With data: "<variable data>"
Sets value: "ID3"
With data: "<variable data>"  

Payload

Communicates with a remote host and executes various functions
Backdoor:Win32/Kelihos.B exchanges encrypted messages with a remote server via HTTP protocol (TCP 80) to evade detection by security software or other filters. Data received from the remote server is interpreted by Win32/Kelihos and could contain instructions for the malware to perform any number of actions, including but not limited to the following:

  • Update a list of possibly compromised computers that the malware communicates and exchanges information with
  • Send spam email messages
  • Capture sensitive information
  • Send notifications or reports
  • Download and execute arbitrary files

Sends Spam Emails
This trojan uses SMTP to send spam email messages that are constructed based on certain templates and other data received from a remote server. The subject, body and contents of the spam email vary and can be updated at any time. Backdoor:Win32/Kelihos.B may use more than one spam campaign running at the same time. The malware may harvest email addresses from the affected computer's local drive by searching within certain files. It avoids searching within certain file types, including the following:

  • .7z
  • .avi
  • .bmp
  • .class
  • .dll
  • .exe
  • .gif
  • .gz
  • .hxd
  • .hxh
  • .hxn
  • .hxw
  • .jar
  • .jpeg
  • .jpg
  • .mov
  • .mp3
  • .msi
  • .ocx
  • .ogg
  • .png
  • .rar
  • .vob
  • .wav
  • .wave
  • .wma
  • .wmv
  • .zip

The harvested email addresses are used as potential recipients for spam email messages distributed by Backdoor:Win32/Kelihos.B.

Captures sensitive information
Variants of Win32/Kelihos may use WinPcap to monitor network traffic and capture information such as login credentials from FTP, POP3 and SMTP traffic.

Analysis by Gilou Tenebro


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "SmartIndex"
    With data: "<path and file name of Win32/Kelihos trojan>"

    In subkey: HKCU\Software\Google
    Sets value: "AppID"
    With data: "<variable data>"
    Sets value: "ID"
    With data: "0x00000050
    Sets value: "ID2"
    With data: "<variable data>"
    Sets value: "ID3"
    With data: "<variable data>"


Prevention


Alert level: Severe
First detected by definition: 1.97.1518.0
Latest detected by definition: 1.167.1090.0 and higher
First detected on: Feb 11, 2011
This entry was first published on: Sep 22, 2011
This entry was updated on: Sep 27, 2011

This threat is also detected as:
  • TR/Crypt.XPACK.Gen2 (Avira)
  • Trojan.DownLoad2.20646 (Dr.Web)
  • Trojan-Downloader.Win32.FraudLoad.ynsc (Kaspersky)
  • PWS-Zbot.gen.ia (McAfee)
  • Mal/FakeAV-GQ (Sophos)
  • TROJ_FRAUDLO.DM (Trend Micro)