Backdoor:Win32/Koceg.gen!B is a generic detection for a family of trojans that downloads and executes arbitrary files and sends process information to a remote server. They may attempt to remove other malware running on the affected system. Some variants also act as worms by copying themselves to removable drives.
Installation
When executed, Backdoor:Win32/Koceg.gen!B copies itself to <system folder>\drivers\spools.exe and %UserProfile%\cftmon.exe.
Notes:
- <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
- %UserProfile% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %UserProfile% directory corresponds to the path '\Documents And Settings\<username>'.
It creates the following registry entries:
To key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: Shell
With data: "Explorer.exe"
Adds value: UIHost
With data: "logonui.exe"
To key: HKLM\SYSTEM\CurrentControlSet\Services\Schedule
Adds value: ImagePath
With data: "<system folder>\drivers\spools.exe"
To key: HKCR\\exefile\shell\open\command
Adds value: (Default)
With data: "%UserProfile%\cftmon.exe "%1" %*"
It also attempts to create the following:
To key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Add value: ntuser
With data: "<system folder>\drivers\spools.exe"
Adds value: autoload
With data: "%UserProfile%\cftmon.exe"
Note that with many variants detected as Backdoor:Win32/Koceg.gen!B, this attempt to modify the registry fails.
May Spread Via…
Removable Drives
Users should note that some variants do not spread independently. Others act as worms by copying themselves to the root directory of removable drives as a hidden file named autorun.exe.
Upon copying itself to a drive, the worm creates a file named 'autorun.inf' in the root of the drive.
The autorun.inf file contains execution instructions for autorun.exe for the operating system, which are invoked when the drive is viewed using Windows Explorer, or newly attached to the system (unless the system is configured not to do so).
Payload
Backdoor Functionality
Once installed, the trojan connects to one of a number of possible web servers. In our laboratory testing, we observed Koceg variants attempting to contact the following servers (for example):
• gudook.info
• satellife.info
• fewfwe.net
• blinko-usa.com
• conceptinvestin.com
• tgspk.ru
Different variants may use a subset of one or more servers from this list.
The backdoor’s controller may request that it perform the following actions:
• Attempt to disable certain other malware on the system
• Download and execute arbitrary files
These actions are described in further detail below.
Attempts to Disable Other Malware
The malware attempts to delete a service with the name 'grande48' if it is running. It also attempts to delete the following files:
• %windir%\system32\WLCtrl32.dll
• %windir%\system32\drivers\grande48.sys
• Any file in the %windir%\system32\drivers\ directory with an extension of .sys and a size of 27008 bytes.
It also attempts to delete the following registry entries:
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32
It may also attempt to delete certain entries from the following registry keys:
• HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal
• HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network
• HKLM\SYSTEM\CurrentControlSet\Services
All of the above may be an attempt to disable components of the
Win32/Cutwail family, and older variants of the Win32/Srizbi family.
This process is also carried out when the malware is first run, without requiring a backdoor command.
Downloads and Executes Arbitrary Files
This server may respond to requests with a list of files to download. The trojan downloads these files, saves them to %temp%\<3-4 random upper case alphanumeric characters>.tmp and executes them. It may repeat this process every two hours.
At the time of publication, the malware had been observed to download files from the Win32/Vundo, Win32/Nuwar, and Win32/Emurbo families, and more recent variants of the Win32/Srizbi family.
Sends System Information to Remote Server
The malware may send a list of processes running on the system to the backdoor server that was chosen from the list above.
Disables Browser Helper Objects
The malware attempts to disable Browser Helper Objects by deleting the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects registry key, and all subkeys and values.
Removes Startup Program Registry Entries
The malware attempts to prevent other programs from running at system startup by deleting the following registry keys, and all subkeys and values:
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Additional Information
The malware periodically attempts to delete the file C:\stop. If this succeeds (ie the file was present), the malware will stop running.
Analysis by David Wood
