Analysis by: Joachim Suico
ALIASES:

Backdoor:Win32/Kelihos (Microsoft); Trojan.Kelihos.FV (Malwarebytes); Backdoor.Kelihos.F (CAT-QuickHeal)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 1,134,229 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 10 Aug 2013

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{string 1}{string 2} = "{malware path}\{malware file}"

Other System Modifications

This backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
IMEJP\{number}\MSIME\
AutoCharWidth
DefaultCompressedRecord = "{hex values}"

HKEY_CURRENT_USER\Software\Microsoft\
IMEJP\{number}\MSIME\
AutoCharWidth
RecordModifiedMax = "{random value}=="

HKEY_CURRENT_USER\Software\Microsoft\
IMEJP\{number}\MSIME\
AutoCharWidth
FlagsModifiedValid = "0"

HKEY_CURRENT_USER\Software\Sysinternals\
Process Explorer (Windows XP)
PersistentLocalizedName = "{hex values}"

HKEY_CURRENT_USER\Software\Sysinternals\
Process Explorer (Windows XP)
LineLoadedQuick = "{random value}=="

HKEY_CURRENT_USER\Software\Sysinternals\
Process Explorer (Windows XP)
PlatformCompressedValid = "0"

HKEY_CURRENT_USER\Software\Sysinternals\
Process Explorer (Windows XP)
DBSavedUse = "{hex values}"

HKEY_CURRENT_USER\Software\TansuTCP (Windows XP)
ActiveModifiedTheme = "{hex values}"

HKEY_CURRENT_USER\Software\TansuTCP (Windows XP)
SizeCompletedValid = "{random value}=="

HKEY_CURRENT_USER\Software\TansuTCP (Windows XP)
InfoPlayedCurrent = "0"

HKEY_CURRENT_USER\Software\Sysinternals\
Process Explorer (Windows 7)
ActiveModifiedTheme = "{hex values}"

HKEY_CURRENT_USER\Software\Sysinternals\
Process Explorer (Windows 7)
SizeCompletedValid = "{random value}=="

HKEY_CURRENT_USER\Software\Sysinternals\
Process Explorer (Windows 7)
InfoPlayedCurrent = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\ime\
IMTC70 (Windows 7)
PersistentLocalizedName = "{hex values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\ime\
IMTC70 (Windows 7)
LineLoadedQuick = "{random value}=="

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\ime\
IMTC70 (Windows 7)
PlatformCompressedValid = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\ime\
IMTC70 (Windows 7)
DBSavedUse = "{hex values}"

NOTES:

This backdoor modifies its file attributes to Read-only and Hidden after execution.

The auto-run registry {string 1} can be any of the following:

  • Network
  • Time
  • CrashReport
  • Database
  • Icon
  • Desktop
  • Tray
  • Video
  • Media

The auto-run registry {string 2} can be any of the following:

  • Informer
  • Verifyer
  • Saver
  • Notifyer
  • Checker
  • Updater

It connects to randomly generated IP addresses with the following as URL path:

  • /online.htm
  • /main.htm
  • /start.htm
  • /install.htm
  • /login.htm
  • /setup.htm
  • /welcome.htm
  • /search.htm
  • /home.htm
  • /default.htm
  • /index.htm