KELIHOS Spam Ushers in the New Year

Spammers started the year right with an email message that supposedly led to New Year’s e-cards. Various versions of the spammed messages circulated online with two new malware in tow. The systems of unwitting users who opened the messages and clicked the embedded link may be infected by WORM_KELIHOS.SM and TROJ_KELIHOS.DLR.

The attack in itself was not entirely new, given the considerable number of similar runs in the past that leverage holidays and other notable events. Interestingly, however, this particular attack bears many similarities to notorious WALEDAC attacks. The familiar routines have thus led experts to think that the spam campaign may have been spearheaded by the same cybercriminal gang behind WALEDAC. While the evidences remained inconclusive, the fact remains that spammed messages are not merely inbox nuisances, but can pose serious threats to users.

How does this threat affect users?

This threat arrives in the form of spammed messages containing links to supposed New Year’s e-cards. The recipients who clicked the link to view the e-card ended up with KELIHOS infections.

What happens to infected systems?

Clicking the link led users to a malicious site that automatically downloaded a fake Adobe Flash Player installer detected as TROJ_KELIHOS.DLR onto their systems. This Trojan connects to http://{BLOCKED}.{BLOCKED}.240.36/flash2.exe to download and execute a file detected as WORM_KELIHOS.SM.

How does this threat propagate?

WORM_KELIHOS.SM is a spamming malware that sends the very same email messages that spread TROJ_KELIHOS.DLR. It uses a well-defined template for its messages that utilize random combinations of names, subjects, and phrases to try to make them appear to have been sent by a human.

How is this threat similar to the WALEDAC malware family?

Initial reports of this spam run have led experts to believe that the attack may have been instigated by the same people behind WALEDAC. Reminiscent of the infamous WALEDAC worm, this threat also made use of spammed messages, fast-flux domains, and changing binaries. While it remains unclear if the attacks were indeed borne by the same individuals behind WALEDAC, it has been ascertained that the attack used the same tactics. Like previous WALEDAC variants, WORM_KELIHOS.SM also communicated via a peer-to-peer (P2P) mechanism. It does this by connecting to other infected computers via TCP port 80. This type of communication is usually referred to as HTTP2P.

What makes this attack unique?

WORM_KELIHOS.SM has an unusually sophisticated logging feature. If executed using a special command-line parameter (/loggs99) it produces a rather in-depth log of its behavior. The log describes in detail the P2P behavior that WORM_KELIHOS.SM exhibits, particularly how it attempts to connect to already-infected systems. If it successfully does so, the log also shows how it updates the list of infected systems that it already knows about.

How can affected users remove this threat from their systems?

Affected users can remove this threat from their systems by terminating the malicious program via the Windows Task Manager, modifying the infected system's registry to delete a created entry and key, and scanning their systems with their registered Trend Micro product.

Are Trend Micro users protected from this threat?

Yes. Solutions supported by the Trend Micro™ Smart Protection Network™ block the spammed messages used in this attack via the email reputation technology. The Smart Protection Network also detects and prevents the execution of the malicious files WORM_KELIHOS.SM and TROJ_KELIHOS.DLR on users' systems via the file reputation technology. It also protects users by blocking access to malicious sites and phone-home attempts via the Web reputation technology.

What can users do to prevent this threat from infecting their systems?

Users can prevent this threat from infecting their systems by constantly exercising caution when opening email messages. As has been repeatedly said, simple precautionary measures such as verifying the senders' legitimacy can go a long way. Email messages from unknown senders and with dubious subject lines should immediately be deleted from inboxes. It is likewise important to avoid clicking links embedded in these messages.


“Malware authors generally prefer to hide a malware’s behavior and to not advertise it. One can therefore wonder why this sort of behavior made it to an in-the-wild malware variant. It’s possible that this particular malware family is still being developed and that its creators intend to make improvements to it down the road.” — Jessa De La Torre, Threat Response Engineer