Follow:

 

Trojan:Win32/Kovter.B


Trojan:Win32/Kovter.B is a trojan that can prevent you from accessing your desktop. It might also automatically open a website containing adult content. It can receive commands to a hacker, and send information to the hacker about your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Enable the registry editor

This threat might prevent Registry Editor from running. To allow the Registry Editor to run, follow these steps:

  1. Click Start then Run and type cmd to run a command prompt.
  2. In the command prompt, type the following and press Enter:
    reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
  3. Type exit.
Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings back to what you want:

Threat behavior

Installation

Trojan:Win32/Kovter.B has the file name %APPDATA%\kb<random number>\kb<random number>.exe, for example, %APPDATA%\KB9112247\KB9112247.exe.

It changes your registry so that it runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "kb<random number>"
With data: "%APPDATA%\kb<random number>\kb<random number>.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "kb<random number>"
With data: "%APPDATA%\kb<random number>\kb<random number>.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe, "%APPDATA%\kb<random number>\kb<random number>.exe""

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB9112247"
With data: "%APPDATA%\KB9112247\KB9112247.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "KB9112247"
With data: "%APPDATA%\KB9112247\KB9112247.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe, "%APPDATA%\KB9112247\KB9112247.exe""

It also creates registry entries as infection markers; infection markers are signs that this threat is installed in your PC:

In subkey: HKLM\SOFTWARE\<8-digit hexadecimal number based on the Kovter sample>
Sets value: "1"
With data: "<16-digit hexadecimal number based PC information>"

In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "3"
With data: "%APPDATA%\kb<random number>\kb<random number>.exe"

In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "4"
With data: "<10-digit number based on Kovter's installation time>"

For example:

In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "1"
With data: "9109FF4AEFCE1111"

In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "3"
With data: "%APPDATA%\KB9112247\KB9112247.exe"

In subkey: HKLM\SOFTWARE\0708FC4A
Sets value: "4"
With data: "1389705410"

It checks if it's running in a virtual machine or if any malware analysis tools or debuggers are running in your PC. If so, it stops itself.

Payload

Connects to a server

Trojan:Win32/Kovter.B connects to these servers to receive commands and configuration data from a hacker:

  • fz5qiter.biz
  • qx5xyngo.org

One of the commands it might receive is to download and run other malware to your PC.

It connects to a different server to send information about your PC:

  • cnc2-bt01.biz

It sends information about your PC, like passwords saved by your browsers and cookies.

Locks your screen

This threat might lock your screen, prevent you from accessing your desktop. It might display this message, or something similar:

"Please connect to the internet...."

Disables Task Manager and Registry Editor

This threat prevents you from running these tools:

  • Task Manager
  • Registry editor

Opens adult-oriented websites

This threat might automatically open a website containing adult content.

Analysis by Steven Zhou


Symptoms

The following could indicate that you have this threat on your PC:

  • You cannot access your desktop, and you see a message saying "Please connect to the internet...."
  • Your browser might automatically go to a website containing adult content
  • You can't run Task Manager or Registry Editor

Prevention


Alert level: Severe
First detected by definition: 1.151.2134.0
Latest detected by definition: 1.191.758.0 and higher
First detected on: Jun 13, 2013
This entry was first published on: Jun 26, 2013
This entry was updated on: Jan 17, 2014

This threat is also detected as:
  • RDN/Suspicious.bfr!v (McAfee)