Installation
PWS:Win32/Kegotip.C can create the following files on your PC:
-
c:\documents and settings\administrator\application data\microsoft\address book\administrator.wab
-
c:\documents and settings\administrator\application data\microsoft\address book\administrator.wab~
-
c:\documents and settings\administrator\local settings\temp\mps7.tmp
-
c:\documents and settings\administrator\local settings\temp\mswqc.tmp
-
c:\documents and settings\administrator\local settings\temp\mswqd.tmp
It can add the following registry entry to add an exception rule to the Windows firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<Malware Path>"
With data: "<Malware Path>:*:Enabled:Microsoft Office"
It uses the following registry modification to store a unique machine identifier by calling the UuidCreate() or QueryPerformanceCounter() APIs:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion
Sets value: "VendorId"
With data: "<16-hex>"
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "regedit32"
With data: "<Malware Path>"
It can create the mutex 5629186B-0207-4659-AE5D-B09282932A86_<Randomdigits>. This could be an infection marker to prevent more than one copy of the threat running on your PC.
Payload
Collects your sensitive information
This threat collects passwords and other personal information from the following applications:
- ALFTP
- CoffeeCup Software
- Core FTP
- CuteFTP
- FAR Manager
- FileZilla
- FTP Commander
- FTP Navigator
- FTP Rush
- Ghisler/Total Commander
- GlobalSCAPE Software
- Internet Explorer
- Microsoft Outlook
- Outlook Express
- SecureFX
- SmartFTP
- TurboFTP
- UltraFXP
- WS_FTP
It also collects email addresses by searching all local drives. It searches for all file types, except the following:
- .avi
- .cab
- .gif
- .jpg
- .mp3
- .rar
- .zip
The collected email address can be saved locally to %APPDATA%\Microsoft\Address Book\<username>.wab.
PWS:Win32/Kegotip.C can create the file %TEMP%\MSWQ<random>.tmp while searching your PC. The file contains the drive letter of the current drive, for example "C:\" or "D:\".
The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:
- 176.31.104.106
- 188.165.227.61
- 188.165.227.61
- 188.165.228.199
- 46.165.243.25
- 5.135.178.153
- 93.113.37.210
- 94.23.32.170
- 94.75.227.218
- bestconspires.co.in
- gefuret.org
- localeventit.pro
Modifies system security settings
PWS:Win32/Kegotip.C adds itself to the list of applications that are authorized to access the Internet without being stopped by the Firewall, by making the following registry modification:
Adds value:
"<malware file>.exe"With data:
"<malware file>.exe:*:enabled:microsoft office"To subkey:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Analysis by Rex Plantado