1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Kissderfrom Activity

System Infected: Trojan.Kissderfrom Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Kissderfrom attempting to contact its controlling server and download the latest version of the malware.

Additional Information

Trojan.Kissderfrom is a Trojan horse that attempts to steal information from the compromised computer.

When the Trojan is executed, it creates the following files:
%System%\[RANDOM CHARACTERS]
%System%\[RANDOM CHARACTERS].exe


Next, the Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\mapzone\"" = "[RANDOM CHARACTERS]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\"Debugger" = "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe\"Debugger" = "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\"Debugger" = "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe\"Debugger" = "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\"Debugger" = "[RANDOM CHARACTERS].exe"


The Trojan then modifies the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"EnableNegotiate" = "1"

It then opens a back door and may contact a command and control server on the following domain:
http://kissfromde.cn

The Trojan can then be configured to log keystrokes typed into a browser and then send it to the command and control server.

Affected

  • Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Response

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
5. Extract and restore Windows files.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube