Trojan.Kalshi

Printer Friendly Page

Discovered: October 10, 2003
Updated: October 13, 2003 2:54:49 PM
Systems Affected: Windows

Trojan.Kalshi is a trojan program that is designed to allow spammers to anonymously send email spam via a compromised system. The trojan may install a rootkit (MCID 1300) to obscure its activities.


Technical Description

Trojan.Kalshi is a trojan program that is designed to allow spammers to anonymously send email spam via a compromised system. The trojan may install a rootkit (MCID 1300) to obscure its activities. When the Trojan is run it will execute Hxdef073.exe in an attempt to obscure the process, registry keys, and files for the Trojan and root kit.

Next Msdc.exe will be executed.

The trojan will test the system for Internet connectivity by connecting to hotmail.com.

Next the trojan will attempt to connect to port 5190 on a predetermined list of servers.

Once the connection has been established the trojan will request the following data:
A list of recipient email addresses.
A prewritten email message.

The trojan will save the data it receives in the following files:
Mail.txt
Mails.txt

Next the trojan will make a request to the compromised systems default DNS server for the Mail exchange record. The trojan will transmit the prewritten email to all of the recipient addresses through the mail server information that it receives.

The trojan will spoof the 'From:' line of the outgoing email, the spoofed email address will consist of the following data that is hard-coded into the body of the Trojan:
A list of names that appears to have been taken from a pre-existing newsgroup.
A list of domains, several of which are used for anti-spam purposes.

When this operation is complete, the trojan will delete both the Mail.txt and Mails.txt files.

Finally the trojan will continue to connect to the predetermined servers requesting updated recipient email addresses and prewritten email messages, if new data is available the trojan will download and send the data using the aforementioned procedure.