WORM_KELIHOS.CH

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{variable1} = "{malware path and file name}"
where {variable 1} is the combination of two words from any the following:

• Informer
• Verifyer
• Saver
• Notifyer
• Checker
• Updater
• Network
• Time
• CrashReport
• Database
• Icon
• Desktop
• Tray
• Video
• Media

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
SizeCompletedValid = "DOG3c2U+e8tKjlkgOnkJw01j9UQR4nE7XiEcc5OujMjGCLyLebDjsg/C2tWGzx8qaQ=="

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
User Shell Folders
defaultcompressedrecord = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
User Shell Folders
recordmodifiedmax = "DOG3c2U+e8tKjlkgOnkJw01j9UQR4nE7XiEcc5OujMjGCLyLebDjsg/C2tWGzx8qaQ=="

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• Any of the following:
  
  • password.exe
  • screensaver.exe
  • game.exe
  • porn.exe
  • run.exe
  • hentai.exe
  • installer.exe

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• Request spam email messages structure and template
• Send spam email messages using SMTP
• List running processes
• Download and execute arbitrary files
• Terminate self

It connects to the following websites to send and receive information:

• http://{BLOCKED}.{BLOCKED}.115.190/online.htm
• http://{BLOCKED}.{BLOCKED}.115.190/main.htm
• http://{BLOCKED}.{BLOCKED}.115.190/start.htm
• http://{BLOCKED}.{BLOCKED}.115.190/install.htm
• http://{BLOCKED}.{BLOCKED}.115.190/login.htm
• http://{BLOCKED}.{BLOCKED}.115.190/setup.htm
• http://{BLOCKED}.{BLOCKED}.115.190/welcome.htm
• http://{BLOCKED}.{BLOCKED}.115.190/search.htm
• http://{BLOCKED}.{BLOCKED}.115.190/home.htm
• http://{BLOCKED}.{BLOCKED}.115.190/default.htm
• http://{BLOCKED}.{BLOCKED}.115.190/file.htm

Dropping Routine

This worm drops the following files:

• This worm installs WinPcap, a legitimate and commonly used Windows packet capture library used to monitor the infected computer's network activities, by dropping and installing the following non-malicious files:
  • %System%\packet.dll
  • %System%\wpcap.dll
  • %System%\drivers\npf.sys

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Information Theft

This worm attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 32BitFtp
• 3DFTP
• ALFTP
• BPFTP
• BitKinex
• BlazeFtp
• BulletProof FTP
• COREFTP
• CUTEFTP
• Classic FTP
• Core FTP
• CuteFTP
• DeluxeFTP
• Directory Opus
• EasyFTP
• FAR Manager FTP
• FFFTP
• FTP Commander Deluxe
• FTP Commander Pro
• FTP Explorer
• FTP Navigator
• FTP Now
• FTP Surfer
• FTP++
• FTPGetter
• FTPRush
• FTPWare
• Frigate3 FTP
• GPSoftware
• GoFTP
• Ipswitch
• LEAPFTP
• LeechFTP
• P32bit FTP
• SmartFTP
• SoftX FTP
• Staff-FTP
• TurboFTP
• WS_FTP
• WinFTP
• XFTP
• FileZilla
• SecureFX
• FlashFXP
• UltraFXP
• FreshFTP
• Cyberduck
• FTP Shell
• TFTPInfo

It gathers the following account information from any of the mentioned File Transfer Protocol (FTP) clients or file manager software:

• FTP User Name
• FTP Password
• FTP Server Name
• Port Number

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Chrome
• Chromium
• ChromePlus
• Bromium
• Nichrome
• Comodo
• RockMelt
• CoolNovo
• ChromePlus
• Yandex

Other Details

This worm drops the following file(s)/component(s):

• {removable drive}:\Shortcut to {malware copy}.lnk - points to the dropped malware copy in removable drives

NOTES:

This worm modifies its file attributes to Read-only and Hidden after execution.

It exchanges encrypted messages with a remote server via HTTP protocol (TCP port 80). It uses the following crafted User-Agent when communicating with the remote host:

• Mozilla/5.0 (Windows; U; Windows NT; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17

This worm also attempts to steal information from the file %Application Data%\Bitcoin\wallet.dat.

It monitors network traffic to acquire data from email and FTP accounts using the following strings:

• @
• AUTH
• Authorization
• Basic
• CONNECT
• ftp
• http
• PASS
• PLAIN
• pop3
• pop3_smtp
• PUT
• smtp
• USER

This worm creates .LNK (shortcut) files using folder names found in removable drives. It then hides the original folders tricking users to click .LNK files. This .LNK files point out to a dropped copy of itself in the removable drive.