Follow:

You have been re-routed to the Backdoor:Win32/Kelihos.F write up because Backdoor%3aWin32%2fKelihos.F has been renamed to Backdoor:Win32/Kelihos.F
 

Backdoor:Win32/Kelihos.F


Microsoft security software detects and removes this threat.

This trojan can give a malicious hacker access and control of your PC.

It can be installed by other malware, such as TrojanDownloader:Win32/Waledac.C, or other variants of the Win32/Kelihos family.

The family spreads by sending spam emails that have links to other malware. They can also communicate with other PCs to exchange information about sending spam emails, steal your sensitive information, or download and run malicious files.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat can be installed by other malware, such as TrojanDownloader:Win32/Waledac.C, or other variants of Win32/Kelihos. It can have the file name:

The trojan changes this registry entry so that it runs every time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "IntelAgent"
With data: "%windir%\temp\temp68.exe"

It also creates these registry entries to stores its configuration data:

In subkey: HKCU\Software\Intel
Sets value: "DATAID"
With data: "<variable data>"
Sets value: "DATA"
With data: "0x00000050"
Sets value: "DATA2"
With data: "<variable data>"
Sets value: "DATA3"
With data: "<variable data>"

where all the variable data contains IP addresses used by Kelihos to connect with.

When run, Kelihos installs the following legitimate WinPcap files:

Payload

Communicates with a hacker

Kelihos exchanges encrypted messages with a hacker in a remote PC via HTTP to retrieve other payload instructions. Depending on the message, Kelihos can do any of these:

  • Update a list of PCs that the malware connects and exchanges information with (it is possible that the PCs in the list are compromised by the malware too)
  • Send spam emails
  • Steal sensitive information
  • Send notifications or reports
  • Download and run files

Analysis by Edgardo Diaz


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
     
    %windir%\temp\temp68.exe

  • You see these entries or keys in your registry:
     
    In subkey: HKCU\Software\Intel
    Sets value: "DATAID"
    With data: "<variable data>"
    Sets value: "DATA"
    With data: "0x00000050"

Prevention


Alert level: Severe
First detected by definition: 1.123.636.0
Latest detected by definition: 1.191.867.0 and higher
First detected on: Mar 29, 2012
This entry was first published on: Mar 29, 2012
This entry was updated on: Sep 01, 2014

This threat is also detected as:
  • BDS/Kelihos.F.50 (Avira)
  • Trojan.Packed.2339 (Dr.Web)
  • Trojan.Win32.FakeAv.lqyd (Kaspersky)
  • Mal/FakeAV-QV (Sophos)