1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Kihomchi Activity

System Infected: Backdoor.Kihomchi Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Backdoor.Kihomchi activity on the infected machine.

Additional Information

When the Trojan is executed, it creates the following files:
C:\MPOS.EXE
C:\MPOS_[RANDOM NUMBER].exe
C:\Windows\KBankStar_[YEAR OF CREATION]_[MONTH OF CREATION]_[DAY OF CREATION].log

The Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"METAPOS SERVICE MANAGER" = "C:\MPOS_[RANDOM NUMBER].EXE"

The Trojan opens a back door on the compromised computer, and connects to the following location on TCP port 1080:
211.43.222.199

The Trojan logs key strokes and stores them in the following location:
C:\Windows\KBankStar_[YEAR OF CREATION]_[MONTH OF CREATION]_[DAY OF CREATION].log

The Trojan may use the back door to perform the following actions:
Send stolen key strokes to the remote location
Download and execute a remote file

Affected

  • Various platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube