Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

KELIHOS


ALIASES:

Waledac

PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Worm

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Propagates via email


KELIHOS is a botnet first seen in 2010. It is mainly used for spreading other malware through spammed email messages. Besides spamming, some variants exhibit Biitcoin mining and distributed denial of service (DDoS) attacks.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security, Connects to URLs/IPs

Installation

This worm adds the following possibly malicious files or file components:

  • {All User's Profile}\Application Data\boost_interprocess\{Date and Time of infection}\GoogleImpl

It creates the following folders:

  • %System Root%\All Users\Application Data\boost_interprocess
  • %System Root%\All Users\Application Data\boost_interprocess\{current date and time}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SmartIndex = "{malware path and file name}"

Other System Modifications

This worm adds the following registry keys:

HKEY_CURRENT_USER\Software\Google

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Google
ID = "50"

HKEY_CURRENT_USER\Software\Google
ID2 = "{random values}"

HKEY_CURRENT_USER\Software\Google
ID3 = "{random values}"

HKEY_CURRENT_USER\Software\Google
AppID = "{random characters}"

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}:*:Enabled:{file name}"

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.185.46/vYho/w5/pMSeoeJQF.htm

Connect with us on