Follow:

 

Backdoor:Win32/Kelihos.A


Backdoor:Win32/Kelihos.A is a trojan that distributes spam email messages that may contain web links to installers of itself. It may also connect to remote computers to exchange configuration data and to download and execute arbitrary files.


What to do now

To detect and remove this threat and other malicious software that may have been installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following: For more information about using antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:Win32/Kelihos.A is a trojan that distributes spam email messages that may contain web links to installers of itself. It may also connect to remote computers to exchange configuration data and to download and execute arbitrary files.
Installation
Backdoor:Win32/Kelihos.A modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "SmartIndex"
With data: "<path and file name of Win32/Kelihos trojan>.exe"
 
This malware creates the registry subkey "HKCU\Software\Google" and creates the following registry and configuration data:
 
In subkey: HKCU\Software\Google
Sets value: "AppID"
With data: "<variable data>"
 
Sets value: "ID"
With data: "0x00000050
 
Sets value: "ID2"
With data: "<variable data>"
 
Sets value: "ID3"
With data: "<variable data>"
 
The malware creates a mapped file in the following file format:
 
<path>\boost_interprocess\<14 numerical digits>.<6 numerical digits>\googleimpl
 
The mapped file above refers to a shared memory object that the malware may use to check for its presence on the affected computer.
 
Note: "<path>" refers to either “C:\Documents and Settings\All Users\Application Data” or “C:\ProgramData”, depending on the version of Windows operating system. The folder name “<14 numerical digits>.<6 numerical digits>” is created from the system date and time value.
Payload
Communicates with a remote host
Backdoor:Win32/Kelihos.A exchanges encoded information with a remote computer mainly through HTTP GET requests and responses. Using this information, it may do any of the following:
  • Update a list of computers that the malware connects and exchanges information with (Note: It is possible that the computers in the list are compromised by the malware as well.)
  • Send spam emails that are constructed based on the templates and data received (Note: The subject, body and contents of the email vary and can be updated at anytime.)
  • Download and execute an arbitrary file
 
Additional Information
Backdoor:Win32/Kelihos.A has a log file "feature". If it is run with a parameter "/loggs99", logging is enabled. The log file is saved in the same directory from which the trojan executes, with a file extension ".LOG".
 
Analysis by Gilou Tenebro

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modifications:
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Adds value: "SmartIndex"
    With data: "<path and file name of Win32/Kelihos trojan>.exe"

    In subkey: HKCU\Software\Google
    Sets value: "AppID"
  • With data: "<variable data>"
     
    Sets value: "ID"
    With data: "0x00000050
     
    Sets value: "ID2"
    With data: "<variable data>"
     
    Sets value: "ID3"
    With data: "<variable data>"

Prevention


Alert level: Severe
First detected by definition: 1.95.1884.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Dec 15, 2010
This entry was first published on: Jan 10, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • FakeAlert-SecurityTool.ao (McAfee)
  • WORM_KELIHOS.SM (Trend Micro)
  • Troj/FakeAV-CHM (Sophos)