Trojan:Win32/Kilim.gen!C

Installation

This malware copies and runs itself from the following locations:

• %APPDATA%\chromenet.exe
• %APPDATA%\Chromium_Launcher.exe
• %APPDATA%\chromium.exe

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Google Chromium"
With data: "%APPDATA%\Chromium.exe"

It also modifies the following registry entries to lower your PC security settings:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "EnableLUA"
With data: "0"

In subkey: HKLM\Software\Policies\Google\Update
Sets value: "UpdateDefault"
With data: "0"

Payload

Downloads other malware

This threat contacts three hardcoded servers to determine which one is online. It waits for a "server_ok" reply from the active server.

It checks which version of the Chrome web browser is installed on your PC. If you have a version other than 30.0.1573.2 the malware will download this version from its server. It then stops the chrome.exe process and replaces this file with the version of Chrome that the malware downloaded.

It then downloads and installs a Chrome ​plug-in that uses one of the following names:

• AdBlock Pro
• Raw manager
• Rawded Pro

We have seen the malware contact the following servers to downloading malware or malware updates:

• alsancakgaming.com
• facebookcheaplikes.net
• filmver.com
• filmverme.com
• joojlee.com
• likedealers.com
• pagesphp.net
• schedulesapps.com
• sosyaljs.com
• sosyaljss.com
• sosyalpatron.com
• tmobilevideo.mobi
• togd.org
• videotroppy.info
• voltaj.org
• windowsjava.com
• www.5lf.net
• www.filmver.com
• www.helpcdn.com
• www.jscmd.net
• www.kaplanphp.com
• www.kasarporno.com
• www.kingcdn.net
• www.kplncodes.info
• www.neran.net
• www.pagesphp.net
• www.pornokan.com
• www.rapfoto.com
• www.sosyaljs.com
• www.sosyaljss.com
• www.sosyaljssss.com
• www.sshup.com
• www.wjetphp.com
• www.yorcdn.com
• xmobilevideo.mobi
• yorcdn.com

The ​plug-in is installed as public.js and is detected as Trojan:JS/Kilim.AA. The plugin ID will be randomly generated.

The malware modifies the preferences of the downloaded plug-in to grant the following permissions:

• clipboardRead
• clipboardWrite
• contentSettings
• cookies
• history
• idle
• management
• notifications
• notifications
• storage
• tabs
• unlimitedStorage
• webNavigation
• webRequest
• webRequestBlocking
• webRequestInternal

Stops update services

This threat can stop Google update services from running on your PC. It does this by deleting the following file:

• %ProgramFiles%\Google\Update\GoogleUpdate.exe

It also deletes the following scheduled tasks:

• GoogleUpdateTaskMachineCore
• GoogleUpdateTaskMachineUA

Redirects your web browser

The malware can redirect your web browser from www.google.com to localhost by modifying the hosts file for any of the following update URLs:

• clientsX.google.com
• dl.google.com
• tools.google.com

It can also block access to security related websites, and stop Windows and browser updates by redirecting traffic to localhost. We have seen it redirect traffic from the following websites:

 Analysis by Daniel Chipiristeanu