Win32/Kovter [Threat Name] go to Threat

Win32/Kovter.A [Threat Variant Name]

Category trojan
Size 165927 B
Detection created Apr 02, 2014
Detection database version 10001
Aliases Trojan-Dropper.Win32.Injector.kdjv (Kaspersky)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Short description

When executed, the trojan copies itself in some of the the following locations:

  • %commonappdata%\­Microsoft\­{%variable%}\­{%variable%}.exe
  • %localappdata%\­Microsoft\­{%variable%}\­{%variable%}.exe
  • %localappdata%\­{%variable%}\­{%variable%}.exe
  • %appdata%\­{%variable%}\­{%variable%}.exe
  • %windir%\­{%variable%}\­{%variable%}.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "{%variable%}" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "{%variable%}" = "%malwarefilepath%"

The trojan launches the following processes:

  • %defaultbrowser%
  • explorer.exe
  • svchost.exe
  • %originalmalwarefile%

The trojan creates and runs a new thread with its own code within these running processes.


The trojan creates a new user account with the username:

  • NETWORK  SERVICE

and the password:

  • KCYmap719!

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­Ratings]
    • ".Default" = 1
  • [HKEY_CURRENT_USER\­\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1400" = 0
    • "1402" = 0
    • "1407" = 0
    • "1206" = 0
    • "1601" = 0
    • "2300" = 0
    • "1809" = 0
  • [HKEY_CURRENT_USER\­\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1400" = 0
    • "1402" = 0
    • "1407" = 0
    • "1206" = 0
    • "1601" = 0
    • "2300" = 0
    • "1809" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main]
    • "Display Inline Images" = "yes"
    • "Enable AutoImageResize" = "yes"
    • "Play_Animations" = "yes"
    • "UseThemes" = "yes"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "%malwarefilename%" = %variable%
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BLOCK_INPUT_PROMPTS]
    • "%malwarefilename%" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­SpecialAccounts\­UserList]
    • "NETWORK  SERVICE" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­Lsa]
    • "limitblankpassworduse" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Control\­Lsa]
    • "limitblankpassworduse" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet003\­Control\­Lsa]
    • "limitblankpassworduse" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Lsa]
    • "limitblankpassworduse" = 0
  • [HKEY_CURRENT_USER\­AppEvents\­Schemes\­Apps\­Explorer\­Navigating]
    • ".Current" = ""

A string with variable content is used instead of %variable% .

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­%variable%]
  • [HKEY_CURRENT_USER\­SOFTWARE\­%variable%]

A string with variable content is used instead of %variable% .


The following programs are terminated:

  • java.exe
  • javaw.exe
  • javaws.exe
  • taskmgr.exe
  • TM.exe

The trojan hooks the following Windows APIs:

  • CoCreateInstance (ole32.dll)
  • CreateProcessA (kernel32.dll)
  • CreateProcessW (kernel32.dll)
  • DirectSoundCreate (dsound.dll)
  • DirectSoundCreate8 (dsound.dll)
  • InternetReadFile (wininet.dll)
  • MessageBoxA (user32.dll)
  • MessageBoxW (user32.dll)
  • OpenProcess (kernel32.dll)
  • PostMessageA (user32.dll)
  • ShellExecuteA (shell32.dll)
  • ShellExecuteExA (shell32.dll)
  • ShellExecuteExW (shell32.dll)
  • ShellExecuteW (shell32.dll)
  • waveOutWrite (Winmm.dll)
  • WinExec (kernel32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.