Follow:

 

Trojan:Win32/Kovter.C


Microsoft security software detects and removes this threat.

It lets a malicious hacker access and control your PC from a command and control server (C&C).

It also lowers the security settings for Internet Explorer.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings back to what you want:

Get more help

You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Trojan:Win32/Kovter.C installs a copy of itself as %LOCALAPPDATA%\KB<random number>\KB<random number>.exe, for example, %LOCALAPPDATA%\KB3935267\KB3935267.exe.

It adds these entries to your registry so that its copy automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB<random number>"
With data: "%LOCALAPPDATA%\KB<random number>\KB<random number>.exe"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB<random number>"
With data: "%LOCALAPPDATA%\kb<random number>\KB<random number>.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "KB<random number>"
With data: "%LOCALAPPDATA%\kb<random number>\KB<random number>.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "KB<random number>"
With data: "%LOCALAPPDATA%\kb<random number>\KB<random number>.exe"

Trojan:Win32/Kovter.C might also add the following registry entry to store some of its configuration data or settings, like its path name, unique ID, and user agent string.

In subkey: HKLM\SOFTWARE\<8-digit hexadecimal number>, for example, AFB117A7
Sets value: "1"
With data: "%LOCALAPPDATA%\KB<random number>\KB<random number>.exe"
Sets value: "2"
With data: ""
Sets value: "3"
With data: "<16-digit hexadecimal number>", for example, "222EA48E6EAA93B1"
Sets value: "4"
With data: "<10-digit hexadecimal number>" for example, "1390831483"
Sets value: "5"
With data: "<Browser user agent>", for example, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"

Note that the hexadecimal numbers are taken from information about your PC, like the Windows product key and installation date taken from the registry.

This threat might not run properly if any of these processes (which are related to security tools) are running in your PC:

  • a2service.exe
  • avcom.exe
  • avp.exe
  • BullGuard.exe
  • cmdagent.exe
  • dwengine.exe
  • jpf.exe
  • oaui.exe
  • op_mon.exe

It might also not run properly if it detects the presence of certain virtualization and analysis tools, like the following:

  • JoeBox
  • qEmu
  • Sandboxie
  • Sunbelt
  • Virtual Box
  • VirtualPC
  • Vmware
  • Wine
  • Wireshark

It injects its code into svchost.exe and the default HTML file viewer (which is usually a browser - Internet Explorer or Firefox, for example).

Payload

Changes Internet Explorer settings

This threat changes the following Internet Explorer settings:

Disables the home page warning message when Internet Explorer is opened for the first time:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "dword:00000001"

Sets tabs and frames to run within the same process in Internet Explorer:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "TabProcGrowth"
With data: "dword:00000000"

Lowers Internet zone security settings:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1206"
With data: "dword:00000000"
Sets value: "1400"
With data: "dword:00000000"
Sets value: "1402"
With data: "dword:00000000"
Sets value: "1407"
With data: "dword:00000000"
Sets value: "1601"
With data: "dword:00000000"
Sets value: "1809"
With data: "dword:00000003"
Sets value: "2300"
With data: "dword:00000000"
Sets value: "1400"
With data: "dword:00000000"
Sets value: "2300"
With data: "dword:00000000"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1206"
With data: "dword:00000000"
Sets value: "1400"
With data: "dword:00000000"
Sets value: "1402"
With data: "dword:00000000"
Sets value: "1407"
With data: "dword:00000000"
Sets value: "1601"
With data: "dword:00000000"
Sets value: "1801"
With data: "dword:00000003"
Sets value: "1809"
With data: "dword:00000003"
Sets value: "2300"
With data: "dword:00000000"
Sets value: "2500"
With data: "dword:00000003"

Gives a malicious hacker access and control of your PC

Trojan:Win32/Kovter.C connects to remote command and control servers (C&C) to receive commands and other data from the malicious hacker that controls these servers. Some of the C&C servers it's known to connect to are:

  • cnc2-bt02.biz
  • cnc3-dm1.biz
  • energizer2012.org
  • wista-opencup.org
  • turboman-open.org

Trojan:Win32/Kovter.C sends data about your PC, like what version of Windows you're running and what timezone your PC is in, back to this server. It can also receive instructions from the server on what to do to your PC. These instructions might include:

  • Download and run other malware on your PC, especially ransomware
  • Send information stored in PC, like passwords saved by your browsers and cookies
  • Visit websites without your consent and click on links in these sites as a form of click-fraud

Analysis by Rex Plantado


Symptoms

The following could indicate that you have this threat on your PC:

  • You have this file:
  • You see these entries or keys in your registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB<random number>"
With data: "%LOCALAPPDATA%\KB<random number>\KB<random number>.exe"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB<random number>"
With data: "%LOCALAPPDATA%\kb<random number>\KB<random number>.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "KB<random number>"
With data: "%LOCALAPPDATA%\kb<random number>\KB<random number>.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "KB<random number>"
With data: "%LOCALAPPDATA%\kb<random number>\KB<random number>.exe"


Prevention


Alert level: Severe
First detected by definition: 1.165.1489.0
Latest detected by definition: 1.189.611.0 and higher
First detected on: Jan 09, 2014
This entry was first published on: Jan 30, 2014
This entry was updated on: Aug 22, 2014

This threat is also detected as:
  • TR/Kovter.C.1 (Avira)
  • Win32/LockScreen.BEH trojan (ESET)
  • W32/LockScreen.BEH!tr (Fortinet)