1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Klovbot Activity 2

System Infected: Trojan.Klovbot Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Klovbot activity on the compromised system

Additional Information

This threat may arrive on the computer through email or drive-by download as one of the following files:

%CurrentFolder%\EasyBot.exe
%CurrentFolder%\MicroServIp.exe
%CurrentFolder%\Postales.exe
%CurrentFolder%\Postal_Gusanito.exe



When the Trojan is executed, it copies itself to the following location:
%Windir%\csrcs.exe

Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\"Microsofts" = "%Windir%\csrcs.exe"

The Trojan then connects to a remote location, downloads a malicious version of the hosts file, and saves it to the following location:
%System%\drivers\etc\hosts

The modified hosts file redirects the user from legitimate websites to malicious sites.

Affected

  • Various windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube