Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

TROJ_KATUSHA


PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Trojan

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Downloaded from the Internet, Spammed via email


KATUSHA Trojans typically arrive via spammed email messages or as files downloaded unknowingly by users when visiting malicious sites. It is used to download and execute other malicious files.

In 2010, a spam run that poses as an IT notification contained a KATUSHA variant as an attachment. Cybercriminals also used this malware to launch attacks on the users of the social networking site/blogging platform Multiply.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Downloads files

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{malware name} = "{malware path}\{malware name}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
{malware name} = "{malware path}\{malware name}.exe"

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MediaPlayer\Setup\Files

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://http-{BLOCKED}ting.us/httpss/v={random numbers}&step={random numbers}&hostid={random numbers}
  • http://domain-{BLOCKED}u.com/httpss/v={random numbers}&step={random numbers}&hostid={random numbers}
  • http://website-{BLOCKED}b.us/httpss/v={random numbers}&step={random numbers}&hostid={random numbers}
  • http://http{BLOCKED}ck.us/httpss/v={random numbers}&step={random numbers}&hostid={random numbers}
  • http://http-{BLOCKED}p.co.cc/httpss/v={random numbers}&step={random numbers}&hostid={random numbers}

Featured Stories

Connect with us on