WORM_KELIHOS.SM

0 0

his worm may be downloaded from the following remote sites:

• http://{BLOCKED}.240.36/flash2.exe

It may be downloaded from remote site(s) by the following malware:

• TROJ_KELIHOS.DLR

Installation

This worm creates the following folders:

• %System Root%\All Users\Application Data\boost_interprocess
• %System Root%\All Users\Application Data\boost_interprocess\{current date and time}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SmartIndex = {malware path and file name}

Other System Modifications

This worm adds the following registry entries:

HKEY_CURRENT_USER\Software\Google
ID = 50

HKEY_CURRENT_USER\Software\Google
ID2 = {random values}

HKEY_CURRENT_USER\Software\Google
ID3 = {random values}

HKEY_CURRENT_USER\Software\Google
AppID = {random characters}

It adds the following registry keys:

HKEY_CURRENT_USER\Software\Google

Propagation

This worm composes messages as part of its spamming routine. The messages it sends has the following details:

It sends a GET request to the server to download an encrypted data, which contains information on its spamming routine.

The email it sends has the following format:

From: {name of sender}
Subject: {subject}
Message Body:
{name of sender} {message 1} {message 2}
{message 3}
{malicious link}

Some samples bear the following details:

{name of sender}:

• Abraham
• Adalbert
• Baldwin
• Barbara
• Candida
• Carol
• Daniel
• Dannie
• Eddie
• Edgar
• Fanny
• Felicia
• Gabriel
• Geffrey
• Hadrian
• Hannah
• Irene
• Isaac
• Jacob
• James
• Katharine
• Kathleen
• Lambert
• Laura
• Mabel
• Madeleine
• Nance
• Nancy
• Odette
• Olive
• Paddy
• Patricia
• Rachel
• Ralph
• Sadie
• Sally
• Teddy
• Terry
• Valentine
• Veronica
• Wallace
• Walter

{subject}:

• Happy 2011!
• You've got a Happy New Year Greeting Card!
• I made an Ecard for U!
• Enjoy the New Year!
• Wishing you the Best New Year!

{message 1} can be any of the following:

• just mailed to you
• wants to show you
• has created for you

{message 2} can be any of the following:

• a postcard.
• an ecard.
• an electronic New Year greeting card.
• a digital postcard.
• a New Year ECard.
• an Online greeting card.

{message 3} can be any of the following:

• Click on the link below to see your greeting card:
• Collect your E-card here:
• It is waiting for you at our card site, go ahead and see it!
• To pick up your greeting card, click on the following link at anytime within the next 30 days:
• To view the ecard simply click the link below:

{malicious link} can be any link where TROJ_KELIHOS.DLR can be downloaded.

It displays information on its activities when it is executed with the parameter /loggs99. Below is a screenshot of the said log:

Backdoor Routine

This worm opens the following port(s) where it listens for remote commands:

• TCP port 1508
• TCP port 1541
• TCP port 80

Other Details

This worm does the following:

• Sends out spam e-mails which contain links to TROJ_KELIHOS.DLR. This Trojan, in turn, downloads WORM_KELIHOS.SM.

  Note, however, that the binaries downloaded from the link may change depending on what infected machine they are retrieved, which changes.