Backdoor.Win32.Kelihos_bb02f070fe

by malwarelabrobot on September 13th, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Backdoor.Win32.Kelihos.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: bb02f070fee4832261dda0c1eb272b95
SHA1: acfa628759bbf2d91021b7903b98e83262d336ff
SHA256: 49d2c950eeda914bafa26d4b4310ad14054d8b82a19f0491d9aed21ae612caa8
SSDeep: 3072:XBvRIxbjtVE5 oO1qxXDODvyYIDseYgmkdLdRRsvw dz:xGx8O1qxXDODvyYIDseYgmk/Rw
Size: 224222 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: InstallManager
Created at: 2007-07-17 19:18:19


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

bb02f070fee4832261dda0c1eb272b95.exe:2044

The Backdoor injects its code into the following process(es):

temp08.exe:776

File activity

The process temp08.exe:776 makes changes in a file system.
The Backdoor deletes the following file(s):

%WinDir%\Temp\tmp.exe (0 bytes)

The process bb02f070fee4832261dda0c1eb272b95.exe:2044 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\Temp\temp08.exe (7386 bytes)

Registry activity

The process temp08.exe:776 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E C8 68 6A CD E6 FB 3B F4 EB EB 7F B9 39 5F A0"

[HKCU\Software\Microsoft\Notepad]
"sizeCompletedValid" = "DAPFRR41oht9I3XGSLozNudeAt1bKXc5MwVmLehKSnoAq90SsJzKgsyeHck2LNEoKQ=="

[HKCU\Software\Sysinternals\Process Monitor]
"UrlEnabledUse" = "80"

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"EnableStationQueries" = "1"

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"ComputerName" = "XP7"

[HKCU\Software\Microsoft\Notepad]
"infoPlayedCurrent" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"DBSavedUse" = "A2 49 4D F3 D9 1E 9F 88 01 01 08 61 00 02 01 10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Sysinternals\Process Monitor]
"FlagsModifiedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Notepad]
"styleModifiedPrev" = "80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"PlatformCompressedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"PersistentLocalizedName" = "D6 80 F9 7F 7A 9D C2 3F 1C BC F7 69 A0 3E E1 B9"

[HKCU\Software\Sysinternals\Process Monitor]
"DefaultCompressedRecord" = "D6 80 F9 7F 73 4B 5F 14 6B 52 95 C5 F2 D6 85 64"

[HKCU\Software\Microsoft\Notepad]
"activeModifiedTheme" = "D6 80 F9 7F 87 0A 31 A2 44 76 EE E9 DA 95 E4 98"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"RecordEnabledCheck" = "80"

[HKCU\Software\Sysinternals\Process Monitor]
"RecordModifiedMax" = "DAPFRR41oht9I3XGSLozNudeAt1bKXc5MwVmLehKSnoAq90SsJzKgsyeHck2LNEoKQ=="

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"UserName" = "%CurrentUserName%"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"LineLoadedQuick" = "DAPFRR41oht9I3XGSLozNudeAt1bKXc5MwVmLehKSnoAq90SsJzKgsyeHck2LNEoKQ=="

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkSaver" = "%WinDir%\Temp\temp08.exe"

The process bb02f070fee4832261dda0c1eb272b95.exe:2044 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 4C 3A 3A 0E 8C 14 60 3A 3E 0B 27 D6 4A E1 1B"

Network activity (URLs)

URL IP
hxxp://kybaxam.net/keybex4.exe (Malicious) 37.46.226.241


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    bb02f070fee4832261dda0c1eb272b95.exe:2044

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %WinDir%\Temp\temp08.exe (7386 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NetworkSaver" = "%WinDir%\Temp\temp08.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now