Details
LowName: Trojan.Klom.A
Type: Trojan
How it spreads: Malicious Websites
Affected operating: All versions of the Windows® Operating System
Aliases:
Date of surface: Mar 5 2007 12:00AM
Virus Information
Summary
Prevalence: Low
Name: Trojan.Klom.A
Type: Trojan
How it spreads: Malicious Websites
Affected operating: All versions of the Windows® Operating System
Aliases:
Date of surface: Mar 5 2007 12:00AM
LowName: Trojan.Klom.A
Type: Trojan
How it spreads: Malicious Websites
Affected operating: All versions of the Windows® Operating System
Aliases:
Date of surface: Mar 5 2007 12:00AM
Description
Symptoms:
Presence of %SYSROOT%\System32\main.sys (may be dropped by other malware)
Description:
When the driver is loaded (possible by other malware), it will drop a DLL file from its resource section.
The DLL file, will drop another file called ‘imapi.exe’ or ‘svchost.exe’ in the Temp directory, that will be executed.
File imapi.exe - This is the real Trojan that will compromise your system: First it drops two files, named ‘restore.sys’ and ‘runtime.sys’, and then will load them.
Next, the Trojan will drop wuauclt.exe and will then execute this file.
‘imapi.exe’ will self delete.
File restore.sys: This file is a rootkit driver. It will manipulate some objects exported by ‘ntoskrnl.exe’ and ‘tcpip.sys’, compromising your system.
This driver is also a filter driver, registering its own routine with the IP Filter Driver, this way it may filter your internet traffic.
File runtime.sys: This file is a rootkit driver. Will install its own notify routine that will be triggered when a new process is created, so the rootkit is able to unlink EPROCESS structures from process chains, allowing malware to run in stealth. The rootkit will also patch ‘tcpip.sys’, overriding its dispatch routine, compromising your system.
File wuauclt.exe: This file is actually a Trojan downloader. First it will decrypt its data, then will create a mutex named `wuryf43hfjwee` to make sure it runs in a single instance. It will then attempt to open a connection to a web server and download a file that will be executed automatically once downloaded. The connection will not work if you are behind a proxy server.
This Trojan may download a custom made malware for your system, as it will inform the server about your OS version: The link looks like this: http://{ip-address}/s_13_0?m={digit}r=1&a=1&os=9400000005000000010000000280{number} will try to connect to server until will succeed. If the download succeeded, the file will be executed (parasailing a new instance of services.exe). Following which the Trojan will self delete.
Presence of %SYSROOT%\System32\main.sys (may be dropped by other malware)
Description:
When the driver is loaded (possible by other malware), it will drop a DLL file from its resource section.
The DLL file, will drop another file called ‘imapi.exe’ or ‘svchost.exe’ in the Temp directory, that will be executed.
File imapi.exe - This is the real Trojan that will compromise your system: First it drops two files, named ‘restore.sys’ and ‘runtime.sys’, and then will load them.
Next, the Trojan will drop wuauclt.exe and will then execute this file.
‘imapi.exe’ will self delete.
File restore.sys: This file is a rootkit driver. It will manipulate some objects exported by ‘ntoskrnl.exe’ and ‘tcpip.sys’, compromising your system.
This driver is also a filter driver, registering its own routine with the IP Filter Driver, this way it may filter your internet traffic.
File runtime.sys: This file is a rootkit driver. Will install its own notify routine that will be triggered when a new process is created, so the rootkit is able to unlink EPROCESS structures from process chains, allowing malware to run in stealth. The rootkit will also patch ‘tcpip.sys’, overriding its dispatch routine, compromising your system.
File wuauclt.exe: This file is actually a Trojan downloader. First it will decrypt its data, then will create a mutex named `wuryf43hfjwee` to make sure it runs in a single instance. It will then attempt to open a connection to a web server and download a file that will be executed automatically once downloaded. The connection will not work if you are behind a proxy server.
This Trojan may download a custom made malware for your system, as it will inform the server about your OS version: The link looks like this: http://{ip-address}/s_13_0?m={digit}r=1&a=1&os=9400000005000000010000000280{number} will try to connect to server until will succeed. If the download succeeded, the file will be executed (parasailing a new instance of services.exe). Following which the Trojan will self delete.
Recovery
For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site > http://www.escanav.com/english/content/products/MWAV/escan_mwav.asp
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities. You can download and install the product from our eScan download page > http://www.escanav.com/english/content/products/generic_eScan/eScan.asp
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site > http://www.escanav.com/english/content/products/MWAV/escan_mwav.asp
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities. You can download and install the product from our eScan download page > http://www.escanav.com/english/content/products/generic_eScan/eScan.asp
