Packed.Win32.Katusha.l

From Total Malware Info

Jump to: navigation, search
The description for Packed.Win32.Katusha.l was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.

It is a trojan designed to download and launch other malicious programs. It is a Windows application (PE-EXE file). Its size is 152,064 bytes. It is packed with an unknown packer. Unpacked size is about 288 KB. It is written in C++.

Installation

After starting, the trojan searches for files with the extensions "exe", "dll", "cpl". Then it reads the service information about a found file, namely the following fields: 

InternalName
ProductName
ProductVersion
PrivateBuild
FileVersion
OriginalFilename

Based on these data, it generates a name for a copy of its body. For example, a filename may contain a union of two fields, "InternalName" and "ProductVersion".

As a result of scanning of logic drives, the trojan determines locations of its future copies. Frequently, the trojan creates copies in the following folders: 

%Program Files%\
%Program Files%\Common Files\
%Windows%\

For example, the trojan creates six copies with the following names: 

%Program Files%\Total Commander\Soft\AIMP\AIMP2AIMP2.exe
%Program Files%\Common Files\Microsoft Shared\DW\1042\MicrosoftDWIntl20.exe
%Program Files%\Common Files\System\msadc\msadcfData.exe
%Program Files%\Outlook Express\OEIMPORTWABMIG6.00.2900.5512.0804132105.exe
%Program Files%\Total Commander\Utils\PageDefrag\Sysinternalspagedfrg.exe
%Program Files%\Common Files\VMware\Drivers\VirtuaPrinter\TPOG3\i386\tpprnjpnOutput.exe

In order to start automatically each time you start the system, the trojan creates the link to its executable file and copies in the system registry: 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
trojan_file_name=full_path_to_trojan’s_body
 
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
trojan_file_name=full_path_to_trojan’s_body

Payload

The trojan creates a unique identifier with the following names to control uniqueness of its process: 

RUNA<rnd1>
c_<rnd2>

Here <rnd1>, <rnd2> — random alphanumeric sequences.

It creates an encrypted file with the following name in temporary files folder of a current user: 

%Temp%\a<rnd3>.tmp

here rnd3 — a random alphanumeric sequence. In the system registry key 

[HKLM\SOFTWARE\Microsoft\MediaPlayer\Setup\Files]

keys from 1 to 7 are in an encrypted form (base64), the trojan stores full paths to files with the body of the trojan, for example, 

[HKLM\SOFTWARE\Microsoft\MediaPlayer\Setup\Files]
"1" = hex: 59, 7a, 70, 63, 63,48, 4a, 76, 5a, 33, 4a, 68, 62, 53, 42, 6d, 61, 57, 78, 6c, 63, 31, 78
68, 5a, 32, 35, 70, 64, 48, 56, 74, 58, 47, 39, 31, 64, 48, 42, 76, 63, 33, 51, 67, 5a, 6d, 6c, 79,
5a, 58, 64, 68, 62, 47, 78, 63, 61, 32, 56, 79, 62, 6d, 56, 73, 58, 47, 5a, 70, 63, 6d, 56, 33, 59,
57, 78, 73, 62, 33, 56, 30, 63, 47, 39, 7a, 64, 43, 35, 6c, 65, 47, 55, 3d

A decrypted form: 

c:\program files\agnitum\outpost firewall\kernel\firewalloutpost.exe

To test the Internet connection, the trojan sends a request to one of the following web-sites: 

http://yahoo.com
http://msn.com
http://google.com
http://update.microsoft.com
http://windowsupdate.microsoft.com

If the Internet connection has been established, it sends requests to the following addresses: 

http://securehttpss.com/httpss/ldr123.php?v=31&step=1&hostid=<rnd4>
http://securehttpss.com/httpss/ldr123.php?v=31&step=2&hostid=<rnd4>

here <rnd4> — a sequence of Latin letters and digits, which depends on current time and a serial number of a system drive.

It sends a request to the remote server: 

http://securehttpss.com/getfile.php?r=<rnd4>&p=<rnd5>

here

rnd5 — a trojan-generated sequence of digits;
rnd6 — encrypted service information that is transmitted to the server to an attacker.

In response to the query, the trojan receives a configuration file, which is necessary for further trojan work.

Also the malware checks availability of a third level domain for the "securehttpss.com" domain, which is generated depending on current system time: 

http://<rnd7>.securehttpss.com

here <rnd7> — a number depending on current system time. At the time of writing, the server was unavailable.

In one case, the trojan has downloaded a malicious file, which is a fake antivirus.

Also there is a known case when this malicious file was distributed via e-mail, a letter was as follows:

Subject: 

You Have Received a Greeting Card

Attachment: none

Email Body: 

Good day.
You have received an eCard
To pick up your eCard, click on the following link (or copy & paste it into your web browser):
 
http://groups.google.com/group/<random string>/web/setup.zip
 
Your card will be available for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up! 
 
We hope you enjoy you eCard.
 
Thank You!

Here <random string> — the name of a Google Group, which has been registered by an attacker.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

  1. Using the Task Manager, terminate the trojan's process tree. In the current case the process name is: 
    setup.exe
  2. Delete the original trojan's body and its copies, file paths can be analyzed to determine the following registry keys: 
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    For example: 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Setup" = "D:\Sandbox\setup.exe"
"CustomShapes" = "%Program Files%\total commander\soft\artweaver\standard \custom shapes\customshapes.exe"
"NscopyNonStop" = "%Program Files%\total commander\plugins\wfx\badcopy\nscopy\nscopynscopy.exe"
"Windowseditor0.2" = "%Program Files%\total commander\plugins\wcx\chmdir\fileseditor.exe"
"RpcapdWinPcap" = "%Program Files%\winpcap\rpcapdwinpcap.exe"
"ShapesCustom" = "%Program Files%\total commander\soft\artweaver\standard\custom shapes\customshapes.exe"
"NscopyCopy" = "%Program Files%\total commander\plugins\wfx\badcopy\nscopy\nscopynscopy.exe"
  3. Delete the system registry key parameters: 
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
trojan_file_name=full_path_to_trojan’s_body
 
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
trojan_file_name=full_path_to_trojan’s_body
  4. Remove values from “1” to “7” in the registry key 
    [HKLM\SOFTWARE\Microsoft\MediaPlayer\Setup\Files]

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.
Retrieved from "http://www.totalmalwareinfo.com/eng/Packed.Win32.Katusha.l"
Language
Video Tutorials
Computer and Internet Security Video Tutorials
© 2011 "Design and Test Lab", LLC. All rights reserved.