Backdoor:Win32/Kelihos.A is a trojan that distributes spam email messages that may contain web links to installers of itself. It may also connect to remote computers to exchange configuration data and to download and execute arbitrary files.
Installation
Backdoor:Win32/Kelihos.A modifies the following registry entries to ensure that its copy executes at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "SmartIndex"
With data: "<path and file name of Win32/Kelihos trojan>.exe"
This malware creates the registry subkey "HKCU\Software\Google" and creates the following registry and configuration data:
In subkey: HKCU\Software\Google
Sets value: "AppID"
With data: "<variable data>"
Sets value: "ID"
With data: "0x00000050”
Sets value: "ID2"
With data: "<variable data>"
Sets value: "ID3"
With data: "<variable data>"
The malware creates a mapped file in the following file format:
<path>\boost_interprocess\<14 numerical digits>.<6 numerical digits>\googleimpl
The mapped file above refers to a shared memory object that the malware may use to check for its presence on the affected computer.
Note: "<path>" refers to either “C:\Documents and Settings\All Users\Application Data” or “C:\ProgramData”, depending on the version of Windows operating system. The folder name “<14 numerical digits>.<6 numerical digits>” is created from the system date and time value.
Payload
Communicates with a remote host
Backdoor:Win32/Kelihos.A exchanges encoded information with a remote computer mainly through HTTP GET requests and responses. Using this information, it may do any of the following:
Update a list of computers that the malware connects and exchanges information with (Note: It is possible that the computers in the list are compromised by the malware as well.)
Send spam emails that are constructed based on the templates and data received (Note: The subject, body and contents of the email vary and can be updated at anytime.)
Download and execute an arbitrary file
Additional Information
Backdoor:Win32/Kelihos.A has a log file "feature". If it is run with a parameter "/loggs99", logging is enabled. The log file is saved in the same directory from which the trojan executes, with a file extension ".LOG".
Analysis by Gilou Tenebro