1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Kilim Activity

System Infected: Trojan.Kilim Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Kilim Activity on the infected system

Additional Information

The Trojan may be installed when a user clicks on a shortened hyperlink that redirects to a malicious website.

When the Trojan is executed, it creates the following files:

%ProgramFiles%\sXe 14.2 Wall - Aim\sXe 14.2 Wall - Aim\Uninstall.exe
%ProgramFiles%\sXe 14.2 Wall - Aim\sXe 14.2 Wall - Aim\Uninstall.ini
%Temp%\crx.txt
%Windir%\AdobeFlash\update.xml
%Windir%\AdobeFlash\windows.exe
%Windir%\AdobeFlash2\update.xml
%Windir%\windows.exe


The Trojan then creates the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"ProxyBypass" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"IntranetName" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"ProxyBypass" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"IntranetName" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"EnableLUA" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AdobeFlashUpdateManager" = ""%Windir%\AdobeFlash\windows.exe""
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist\"1" = "http://www.e-begen.com/crx;C:\Windows\AdobeFlash\update.xml"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist\"2" = "http://www.trkral.com/crx;C:\Windows\AdobeFlash2\update.xml"


Then it creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\sXe 14.2 Wall - Aim sXe 14.2 Wall - Aim

Next, the Trojan may connect to any of the following domains:

[http://]www.e-begen.com/crx[REMOVED]
[http://]www.limbao.com
[http://]www.okubakgor.com
[http://]www.trkral.com/crx[REMOVED]
[https://]chrome.google.com
[https://]graph.facebook.com


It then downloads and installs two Google Chrome browser extensions.

When the user next signs in to Facebook, the Trojan may perform the following actions:

Post to the user's News Feed
"Like" pages
Follow other users


Any attempts to view installed Chrome extensions will be redirected to the following domain:
https://chrome.google.com/webstore

Affected

  • Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube