1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Klovbot Activity 2

System Infected: Trojan.Klovbot Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects Trojan.Klovbot activity on the compromised system

Additional Information

This threat may arrive on the computer through email or drive-by download as one of the following files:


When the Trojan is executed, it copies itself to the following location:

Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\"Microsofts" = "%Windir%\csrcs.exe"

The Trojan then connects to a remote location, downloads a malicious version of the hosts file, and saves it to the following location:

The modified hosts file redirects the user from legitimate websites to malicious sites.


  • Various windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube