Follow:

You have been re-routed to the Trojan:Win32/Kilim.A write up because Trojan%3aAutoIt%2fKilim.A has been renamed to Trojan:Win32/Kilim.A
 

Trojan:Win32/Kilim.A


Microsoft security software detects and removes this threat.

This trojan hijacks your Facebook, Twitter or YouTube account to promote pages. It may post hyperlinks or like pages on Facebook, post comments on YouTube videos, or follow profiles and send direct messages on Twitter without your permission.

It may be installed when you click on a malicious link. When you click on the link you may be asked to run or install a program that looks genuine, such as an Adobe Flash installer.

 



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

Trojan:AutoIt/Kilim.A trojan creates and copies itself into the following folders:

If these directories already exist the trojan deletes any files and replaces them with a copy of itself. 

We have seen this trojan use the filename windows.exe, using the Adobe Flash player icon, but this may vary.

Trojan:AutoIt/Kilim.A disables User Account Control (UAC) by creating the following registry key:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0x00000000" 

It modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AdobeFlashUpdateManager"
With data: %windir%\AdobeFlash\<threat file name>, for example %windir%\AdobeFlash\windows.exe. 

Payload

Posts malicious links on social media

Trojan:AutoIt/Kilim.A connects to a remote server to download configuration files that install Chrome browser extensions:              

  • www.e-begen.com/<removed>.txt
  • www.trkral.com/<removed>.txt

It closes the Chrome browser and installs the two malicious extensions using following configuration files and registry entries:

In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: “1
With Data: "%windir%\AdobeFlash\update.xml"

In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: “2
With Data: "%windir%\adobeflash2\update.xml"

The trojan can now gain access to your Facebook, Twitter and YouTube accounts next time you log in using the Chrome browser. It may post messages, like pages or follow profiles on Twitter.

An example of the messages it may post includes:

  • "Selam  bir site buldum günlük 250 takipçi veriyor. Sen de denemelisin:)"

This translates as:

  • "I found a site that gives a daily 250 followers. You should too:)" 

The Chrome browser extensions used by this trojan are detected as Trojan:JS/Kilim.A.

Analysis by Karthik Selvaraj


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • If you click on the About menu in the Chrome browser, then select Settings, you will be taken to google.com instead of the settings page
  • www.facebook.com and www.okubakgor.com are automatically opened in tabs when you launch Chrome
  • The presence of the following files:

%windir%\adobeflash\update.xml
%windir%\adobeflash2\update.xml

  • The presence of the following registry modifications:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AdobeFlashUpdateManager"
With data: %windir%\AdobeFlash\<threat name>

In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: “1
With Data: "%windir%\AdobeFlash\update.xml"

In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: “2
With Data: "%windir%\adobeflash2\update.xml"


Prevention


Alert level: Severe
First detected by definition: 1.151.809.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: May 24, 2013
This entry was first published on: May 24, 2013
This entry was updated on: Jun 12, 2013

This threat is also detected as:
  • Trojan.Generic.9124644 (BitDefender)
  • Trojan.MulDrop4.38011 (Dr.Web)
  • Win32/AHK.V trojan (ESET)
  • W32/Agent.HNYI!tr (other)
  • Trojan-Dropper.Win32.Agent.hnyi (Kaspersky)