Encyclopedia entry
Updated: Apr 17, 2011 | Published: Jul 16, 2010
Aliases
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Updated: Apr 17, 2011 | Published: Jul 16, 2010
Aliases
-
W32/Downloader.AT.gen!Eldorado (Command)
- TR/StartPage.jsp (Avira)
- Trojan.StartPage.27322 (Dr.Web)
- Trojan.Win32.StartPage.pqi (Rising AV)
- Troj/Mdrop-CRG (Sophos)
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
| Detection last updated: Definition: 1.121.1275.0 Released: Mar 10, 2012 | Detection initially created: Definition: 1.85.994.0 Released: Jun 28, 2010 |
Summary
Trojan:Win32/Kilonepag.A is a trojan that injects its malicious routines into the normal running process "svchost.exe" to enable it to drop several files in the system and modify registry settings. It can terminate certain processes and drop shortcuts to certain URLs on the user's desktop.
Symptoms
System changes
The following system changes may indicate the presence of this malware:
- The presence of the following registry modification:
- The presence of the following subkeys:
Added value: "Explorer.exe %ProgramFiles%\tdxe\ruhrrun.exe"
With data: "Shell"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- HKCR\CLSID\{7AF60DD2-4979-11D1-3333-00C04FC33566}
- HKLM\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}
- The presence of the following message box:
Technical Information (Analysis)
Trojan:Win32/Kilonepag.A is a trojan that injects its malicious routines into the normal running process "svchost.exe" to enable it to drop several files in the system and modify registry settings.
Installation
When run, this trojan injects its malicious code into the running "svchost.exe" process. It displays a message box and opens an instance of Internet Explorer pointing to the website "tc.v22.cc".
The message box appears similar to the following:
Trojan:Win32/Kilonepag.A creates a hidden, randomly-named folder under the Program Files folder, where it drops a randomly-named EXE file. It then modifies the registry to ensure that the dropped file is automatically run every time Windows starts:
Adds value: "Explorer.exe %ProgramFiles%\tdxe\ruhrrun.exe"
With data: "Shell"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Trojan:Win32/Kilonepag.A also adds the following registry subkeys:
- HKCR\CLSID\{7AF60DD2-4979-11D1-3333-00C04FC33566}
- HKLM\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}
Payload
Drops URL shortcuts
Trojan:Win32/Kilonepag.A drops several URL shortcuts on the user's desktop. The URLs that these shortcuts connect to may be the following:
- dy.v22.cc
- m.v22.cc
- music.v22.cc
- v.v22.cc
Terminates processes
Trojan:Win32/Kilonepag.A terminates several processes that may be running in memory. These processes may be associated with antivirus programs:
- 360sd.exe
- 360tray.exe
- avp.exe
- kwstray.exe
- QQDoctorRtp.exe
- Rav.exe
- wxCltAid.exe
Checks for TCP/IP connection
Trojan:Win32/Kilonepag.A checks if TCP/IP is bound and enabled on the network adapter of the machine. It does this creating and running a VBScript query.
Analysis by Marianne Mallen
Žádné komentáře:
Okomentovat