Trojan.Win32.Koutodoor_35d555a003
Trojan.Generic.5342054 (BitDefender), Trojan:Win32/Koutodoor.E (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Koutodoor.e (v) (VIPRE), Trojan.MulDrop4.24670 (DrWeb), Trojan.Generic.5342054 (B) (Emsisoft), Koutodoor.gen.g (McAfee), Trojan.Koutodoor!gen (Symantec), Trojan.Win32.Koutodoor (Ikarus), Trojan.Generic.5342054 (FSecure), Crypt_s.BIY (AVG), Win32:Caxnet [Trj] (Avast), TROJ_KTODOOR.SMF (TrendMicro), Trojan.Generic.5342054 (AdAware)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 35d555a00317440c76b7dc57bd0f0475
SHA1: 04fceb8148b6bc26636017b385233310147715a6
SHA256: 5632798f3dfa13d99a375ca45447b0af42bf1461967f38b70943eb498bfe3176
SSDeep: 3072:Jnl8E3qUX9XeV6JsPLPjpOZ2IudKc5E4Ny:JP3BuPNcEXS4k
Size: 147712 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2010-12-27 10:58:17
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1796
The Trojan injects its code into the following process(es):
No processes have been created.
File activity
The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\niph.dll (61440 bytes)
%System%\yoxfgx.bat (120 bytes)
%System%\drivers\iwzimim.sys (41760 bytes)
Registry activity
The process %original file name%.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 04 15 98 83 EE 0E F8 E4 CB A0 14 96 26 6C 8D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime]
"SID" = "S-1-5-21-606747145-1060284298-839522115-1003"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan's driver "%Drivers%\iwzimim.sys" substitutes a pointer of ParseProcedure function for the object Device.
The Trojan's driver "%Drivers%\iwzimim.sys" substitutes a pointer of ParseProcedure function for the object Key.
Using the driver "%System%\drivers\iwzimim.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1796
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\niph.dll (61440 bytes)
%System%\yoxfgx.bat (120 bytes)
%System%\drivers\iwzimim.sys (41760 bytes)
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
