W32/Kassbot-D

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Kassbot-D is a network worm with backdoor functionality for the Windows platform.

The backdoor component joins a predetermined IRC channel and awaits further commands from remote attackers.

W32/Kassbot-D monitors internet sessions and begins logging keypresses when it detects traffic to certain banking websites. W32/Kassbot-D is a network worm with backdoor functionality for the Windows platform.

When run, W32/Kassbot-D copies itself to the Windows system folder as spools.exe and sets the following registry entry in order to run each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Spools Service Controller
<Windows system folder>\spools.exe

W32/Kassbot-D drops a helper file to the Windows system folder as xee32.dll. Sophos's anti-virus products detect xee32.dll as W32/Kassbot-C.

The backdoor component joins a predetermined IRC channel and awaits further commands from remote attackers. The backdoor can be instructed to perform various tasks, including:

-start a proxy server
-take part in distributed denial of service (DDoS) attacks
-download and execute arbitrary files
-download updated copies of itself
-monitor internet sessions for visits to certain banking websites
-log keypresses
-serve as an email relay, allowing remote users the ability to route email through the infected computer
-list/terminate processes
-redirect HTTP requests to alternate sites
-list,modify or delete files/folders
-execute arbitrary commands
-search the infected computer for specified files

To achieve the functionality of redirecting of HTTP requests, W32/Kassbot-D modifies the HOSTS file (typically located in <Windows system folder>\Drivers\etc). The worm initially appends data to the HOSTS file which prevents access to the following domains, though it can be instructed to append additional data via backdoor commands:

barclays.co.uk
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
downloads1.kaspersky.ru
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
hsbc.co.uk
ibank.barclays.co.uk
kaspersky-labs.com
kaspersky.ru
lloydstsb.co.uk
nwolb.com
online.lloydstsb.co.uk
personal.barclays.co.uk
www.barclays.co.uk
www.hsbc.co.uk
www.kaspersky-labs.com
www.kaspersky.ru
www.lloydstsb.co.uk
www.lloydstsb.com
www.nwolb.com

W32/Kassbot-D monitors internet sessions and begins logging keypresses when it detects traffic to any URLs containing the following strings:

194.145.64.98
amfederal
apobank.de
bank.eldersruralbank.com.au
banking.apobank.de
banking.apobank.de
banking.bankhaus-mayer.de
banking.bmwbank.de
banking.bw-bank.de
banking.cc-bank.de
banking.degussa-bank.de
banking.diba.de
banking.donner.de
banking.elba.at
banking.europace.ie
banking.hypo.at
banking.ing-diba.at
banking.martinbank.de
banking.privatbank.at
banking.raiffeisen.at
banking.santander.de
banking.seb.de
banking.vkb-bank.at
baufinanzierung.dslbank.de
billscenter.paytrust.com
bob.bankwest.com.au
brokerage.comdirect.de
cash.rin.ru
creditplus.de
davis-company.com
dfbonline.deutsche-factoring.de
dws-direkt.deutsche-bank.de
e-bank.feibbank.com
e-bank.wuestenrot.de
ebank.laiki.com
ebanker.arabbank.com.au
ebanking.bawag.com
ebanking.bgl.lu
ern.nnctx.com.ru
etimebanker.bankofthewest.com
ewm.ubs.com
fiservdmecom
fnc.asbbank.co.nz
hbci-banking.allbank.de
homebank.tsbbank.co.nz
ib.national.com.au
ib2.inetbank.net.au
ibank.stgeorge.com.au
inetbnkp.adelaidebank.com.au
internetbanking.gad.de
internetbanking.suncorpmetway.com.au
investing.schwab.com
konto.xcom-bank.de
leu.directnet.com
mbk.rbc.ru
mein.raiffeisen.at
my.banklenz.de
my.hypovereinsbank.de
my.ingretirementplans.com
netbanking.sozialbank.de
noname.de
olb.westpac
online-banking.weberbank.de
online-service.allianz.de
online.btfunds.com.au
online.westpac.com.au
onlineservices.amp.com.au
personal.macquarie.com.au
portal01.commerzbanking.de
portal1.izb.de
privatebanking.debema.de
privatkunden.union-investment.de
sec.westpac.co.nz
secure.accu.com.au
secure.americanfederal.net
secure.bankone.com.au
secure.dnetz-b2b.de
secure.easy-car-credit.de
secure.nationalinterbank.com
secure.rabobank.com.au
services.credit-suisse.de
ssl.4alpha.de
sso.americanexpress.com
swkbank.de
union-investment.de
uniservices3.uobgroup.com
upib.unionplanters.com
web.cplnn.com
web.da-us.citibank.com
webbank.standardchartered.com
wertpapier.schwaebische-bank.de
ww2.homebanking-berlin.de
www.abnamrofutures.com
www.amazon.com
www.americanexpress.com
www.anb.com.sa
www.anz.com
www.asia.citibank.com
www.axabanque.fr
www.bacaf.at
www.bamernet.hn
www.banco-general.com
www.banking.co.at
www.bankingonline.de
www.bankofindia.com
www.bankone.com
www.bankone.com.au
www.banpais.hn
www.barclaycard.de
www.bendigobank.com.au
www.berenbergbank.de
www.bks-banking.at
www.blcdirect.banquelaurentienne.ca
www.bnz.co.nz
www.boq.com.au
www.bv-activebanking.de
www.cashcards.net
www.cebit.de
www.cetelem.de
www.cetelembank.de
www.citibank.com.au
www.cortalconsors.de
www.creditmutuel.fr
www.daimlerchrysler-bank.com
www.dhbbank.com
www.dresdner-privat.de
www.dslstar.de
www.e-gold.com
www.ebank.hsbc.co.nz
www.ebankinter.com
www.efirstbank.com
www.eservices.baj.com.sa
www.fcb-e-bank.com
www.fh-vie.ac.at
www.firstbanks.com
www.fiservdmecom1.net
www.fiservdmecom1.net
www.fiservla3.com
www.generalibank.at
www.global-banking.de
www.goldpouchexpress.com
www.hoernerbank.de
www.kiwibank.co.nz
www.loyalbank.com
www.midamericabank.com
www.mmgbank.com
www.myaxa.de
www.national-bank.de
www.ncrbanks.com
www.necu.com.au
www.netbank-money.de
www.netbanking.at
www.oberbank-banking.at
www.portal-banking.de
www.regions.com
www.sabadellatlantico.com
www.saradar.com
www.servicebank.at
www.site-secure.com
www.southtrust.com
www.sovereign.com
www.superbank.co.nz
www.usbank.com
www.visionsfcu.com
www.vr-ebanking.de
www.vr-networld-ebanking.de
www.westlbmarkets.net
www.winweb.seceti.it
www.wsk-bank.at
www0.advisernet.com.au
www1.internet-trading1.com
www1.netbank.commbank.com.au
www2.bankingonline.de