Trojan.Win64.KGHSPY.ZKIH

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It does not have any propagation routine.

It does not have any backdoor routine.

As of this writing, the said sites are inaccessible.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following processes:

• %Windows%\explorer.exe /root, %System%\cmd.exe → loads downloaded %User Temp%\uc.dll

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It executes then deletes itself afterward.

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Command Processor
AutoRun = rundll32.exe "%User Temp%\uc.dll", out & exit

Propagation

This Trojan does not have any propagation routine.

Backdoor Routine

This Trojan does not have any backdoor routine.

Rootkit Capabilities

This Trojan does not have rootkit capabilities.

Download Routine

This Trojan accesses the following websites to download files:

• http://web.{BLOCKED}c.o-r.kr/wp-includes/css/dist/nux/home/?act=wbi&id={Computername}&ver={OS Architecture}
• http://web.{BLOCKED}c.o-r.kr/wp-includes/css/dist/nux/home/?act=paydb&id={Computername}&ver={OS Architecture}
• http://web.{BLOCKED}c.o-r.kr/wp-includes/css/dist/nux/home/?act=paydl&id={Computername}&ver={OS Architecture}
• http://web.{BLOCKED}c.o-r.kr/wp-includes/css/dist/nux/home/?act=sets&id={Computername}&ver={OS Architecture}
• http://web.{BLOCKED}c.o-r.kr/wp-includes/css/dist/nux/home/?act=ucd&id={Computername}&ver={OS Architecture}

It saves the files it downloads using the following names:

• %User Temp%\m.dll
• %User Temp%\ht.tr
• %User Temp%\sp.dll
• %User Temp%\s.dll
• %User Temp%\uc.dll

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

As of this writing, the said sites are inaccessible.

Information Theft

This Trojan gathers the following data:

• Username
• Computername
• OS Architecture
• Contents of the following file:
  • %User Temp%\w.x

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Stolen Information

This Trojan sends the gathered information via HTTP POST to the following URL:

• http://web.{BLOCKED}c.o-r.kr/wp-includes/css/dist/nux/home/up.php?id={Computername}

  NOTES:
  

This Trojan does the following:

• Continues with routine:
  • If it is loaded by splwow64.exe
  • If URLs are still accessible
• Attempts to delete the following after execution:
  • files:
    • %User Temp%\m.dll
    • %User Temp%\ht.tr
    • %User Temp%\sp.dll
    • %User Temp%\s.dll
    • %User Temp%\uc.dll
    • %User Temp%\w.x
  • registry entry:
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
      AutoRun = rundll32.exe "%User Temp%\uc.dll", out & exit

  This Trojan does not exploit any vulnerability.