Follow:

 

TrojanSpy:Win32/Keatep.B


TrojanSpy:Win32/Keatep.B is a trojan that steals FTP credentials and sends it to a remote attacker. It also injects malicious Iframe code that points to a certain Web site. It also disables the Windows firewall and connects to a remote Web site to potentially download arbitrary files.


What to do now

To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Removing a program exception
This threat may add a malware program to the Windows Firewall exception list. To remove the program exception, follow these steps (note that you need the malware file name - this may be available from the detection of your antivirus product):
 
For Windows 7:
1) Click Start, select Control Panel, then System and Security.
2) Select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
5) Select the program name from the list of allowed programs and features. Click Remove.
6) Click OK.
 
For Windows Vista:
1) Click Start, select Control Panel, then Security Center.
2) On the left-hand menu, select Windows Firewall.
3) On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4) Select the program name from the list of allowed programs and features. Click Delete.
5) Click OK.
 
For Windows XP:
1) Use an administrator account to log on.
2) Click Start, select Run, type wscui.cpl, and then click OK.
3) In Windows Security Center, click Windows Firewall.
4) On the Exceptions tab, click the program name and then click Delete.
5) Click OK.
Resetting FTP program passwords
This threat may steal credentials for various FTP programs. It is recommended that once you remove this threat, you should reset or change the passwords for FTP programs that you use, as your credentials may be in the possession of a remote attacker.

Threat behavior

TrojanSpy:Win32/Keatep.B is a trojan that steals FTP credentials and sends it to a remote attacker. It also injects malicious Iframe code that points to a certain Web site. It also disables the Windows firewall and connects to a remote Web site to potentially download arbitrary files.
Installation
TrojanSpy:Win32/Keatep.B may be downloaded and run by other malware such as Virus:Win32/Sality.AT.
 
When executed, TrojanSpy:Win32/Keatep.B creates the mutex "SIDUY928WUOI0192" to ensure that only one instance of itself is running.
Payload
Injects malicious Iframe
TrojanSpy:Win32/Keatep.B may try to inject a potentially malicious Iframe pointing to the Web site "besloqawe.com".
 
Disables Windows firewall
TrojanSpy:Win32/Keatep.B attempts to disable the Windows firewall by running the following command:
 
netsh firewall set opmode disable
 
It also adds itself to the authorized application list in the Windows firewall:
 
Adds value: "<Malware File>"
With data:  "<Malware File>:*:enabled:ipsec"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
 
Connects to a remote Web site
TrojanSpy:Win32/Keatep.B attempts to connect to the following Web sites to download other files:
 
  • microupdate14.info
  • kukutrustnet888.info
 
Steals FTP credentials
TrojanSpy:Win32/Keatep.B attempts to steal credentials for various FTP programs, such as "Total Commander" and "FileZilla". If gathered, TrojanSpy:Win32/Keatep.B uploads the gathered credentials to a remote location.
 
Analysis by Andrei Florin Saygo

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.47.53.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Nov 08, 2008
This entry was first published on: May 07, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Xema.variant (AhnLab)
  • W32/Keatep.B.gen!Eldorado (Command)
  • W32/Spambot.gen.3248299 (Norman)
  • Trojan horse SpamTool.FWG (AVG)
  • Win32/Maazben!generic (CA)
  • Trj/SpamBot.AR (Panda)