Threat behavior
TrojanDownloader:Win32/Kogant.A is a network monitoring trojan and may be installed by a dropper identified as
Backdoor:Win32/Koceg.gen!B.
Installation
When the dropper Win32/Koceg.gen!B is run, it may drop the following files:
%UserProfile%\cftmon.exe - Backdoor:Win32/Koceg.gen!B
%UserProfile%\ftp34.dll - TrojanDownloader:Win32/Kogant.A
<system folder>\drivers\spools.exe - Backdoor:Win32/Koceg.gen!B
<system folder>\ftp34.dll - TrojanDownloader:Win32/Kogant.A
The registry is modified to execute Win32/Koceg.gen!B at each Windows start. For more information about Win32/Koceg.gen!B, visit this URL:
When Win32/Kogant.A is run, it creates a mutex named "323dd" to ensure only one instance of the trojan runs at a time.
Payload
Monitors Traffic
Win32/Kogant.A may monitor Internet communication from the site 'safe-security-advisour.com'. When a data stream is received, the trojan may rewrite information and send it back to the server by intercepting specific network API calls. The new data stream may result in downloading potentially unwanted programs from Web site(s).
Analysis by Tim Liu
Prevention
