Trojan.Win32.Koutodoor.e_3f1147e479
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Koutodoor.e (v) (VIPRE), Trojan.Win32.Koutodoor!IK (Emsisoft)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.
MD5: 3f1147e479ce7d0f9f79ed595fc03654
SHA1: 1ebfe42c3dbf84de7893f523f464ce139a83f585
SHA256: 29a57e476263654dfe192901ea9ce46e99495fcebd08d3c7333a1700304951c6
SSDeep: 3072:hVfn 3hJ6DSDpVdsKb KftLosFlgh6RSL5UhmapsSSF3xAiXlp:uGDSDpbnb KposFlgKS1UxNo3x37
Size: 147712 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2010-12-27 10:28:50
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
3f1147e479ce7d0:344
The Trojan injects its code into the following process(es):
No processes have been created.
File activity
The process 3f1147e479ce7d0:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\kedyc.sys (42144 bytes)
%System%\mwkjls.bat (120 bytes)
%System%\njnpr.dll (61440 bytes)
Registry activity
The process 3f1147e479ce7d0:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 A6 F3 9E 6A 96 68 4E 18 4C BA 94 AE 44 A9 22"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime]
"SID" = "S-1-5-21-606747145-1060284298-839522115-1003"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan's driver "%Drivers%\kedyc.sys" substitutes a pointer of ParseProcedure function for the object Device.
The Trojan's driver "%Drivers%\kedyc.sys" substitutes a pointer of ParseProcedure function for the object Key.
Using the driver "%System%\drivers\kedyc.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
3f1147e479ce7d0:344
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\drivers\kedyc.sys (42144 bytes)
%System%\mwkjls.bat (120 bytes)
%System%\njnpr.dll (61440 bytes)
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
