P
PNapa21
Improve translation
Loading...
Previous(0)Next(0)
LegalHelp
ZgOrQhmGeZgzFUeCmUtR0Gkyu8IoGG9-o5UNToueQgjsb9KRSr5C_91ZAelvVbe-5LPiRcx13cVj7gJQ_LL3qdNNufRPIyEPpEly4c4ZiYZW955g7Mda-DVoU9hCoKEyo1https://ssl.microsofttranslator.com/static/234510/img/Submitting...ApproveApprove this as the default translationRejectHide this translation from other usersRestoreShow this translation to other users
Edit
Select
Report
Submit
Cancel
Sign in
Account
On this page it say under Symptoms
The following can indicate that you have this threat on your PC:
You see these entries or keys in your registry
Trojan:Win32/Kovter
Trojan: Win32/Kovter
Also detected as:
The following can indicate that you have this threat on your PC:
The threat is already Quarantined on my Windows Defender so why do I still see these settings in my registry?
Windows Defender detects and removes this threat.
This malware family is well known for being tricky to detect and remove because of its file-less design after infection. They infect your PCs so malware perpetrators can perform click-fraud and install additional malware on your machines.
A trojan is a type of malware that can’t spread on its own. It relies on you to run them on your PC by mistake, or visit a hacked or malicious webpage.
They can steal your personal information, download more malware, or give a malicious hacker access to your PC.
Find out ways that malware can get on your PC.
What to do now
Use the following free Microsoft software to detect and remove this threat:
You should also run a full scan. A full scan might find hidden malware.
This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:
You should change your passwords after you've removed this threat:
The Microsoft Active Protection Service (MAPS) uses cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10.
You can also see our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Top
Threat behavior
On top of the recent (seen between March to April 2016) Kovter Adobe Flash malvertising attack, we have also seen the trojan arrive as an attachment to spam emails. We have seen this malware being downloaded by TrojanDownloader:JS/Nemucod, for example:
When Kovter is installed, the malware will drop its main payload as data in a registry key (HKCU\\software\\<random_chars> or HKLM\\software\\<random_chars>). For example, we have seen it drop the payload into the following registry keys:
Kovter then installs JavaScript as a run key registry value using paths that automatically run on startup such as:
The dropped JavaScript registry usually has the format: “mshta javascript: <malicious Kovter JavaScript>”.
When executed at startup, this JavaScript will load the Kovter payload data registry key data into memory and execute it. When executing in memory, the malware will also inject itself into legitimate processes including:
After installation, the malware will remove the original installer from the disk leaving only registry keys that contain the malware.
Lowers Internet security settings
It modifies the following registry entries to lower your Internet security settings:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1400"
With data: “0”
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1400"
With data: “0”
Sends your personal information to a remote server
We have seen this malware send information about your PC to the attacker, including:
It can also detect some specific tools that you are using in your PC and sends that information back to the attacker:
Click-fraud
This threat can silently visit websites without your consent to perform click-fraud by clicking on advertisements. It does this by running several instances of Internet Explorer in the background.
Download updates or other malware
This threat can download and run files. Kovter uses this capability to update itself to a new version. This update capability has been used recently to install other malware such as:
Analysis by Geoff McDonald and Duc Nguyen
Prevention
Take these steps to help prevent infection on your PC.
Top
TRAN
Continue reading...
Loading...
Previous(0)Next(0)
LegalHelp
ZgOrQhmGeZgzFUeCmUtR0Gkyu8IoGG9-o5UNToueQgjsb9KRSr5C_91ZAelvVbe-5LPiRcx13cVj7gJQ_LL3qdNNufRPIyEPpEly4c4ZiYZW955g7Mda-DVoU9hCoKEyo1https://ssl.microsofttranslator.com/static/234510/img/Submitting...ApproveApprove this as the default translationRejectHide this translation from other usersRestoreShow this translation to other users
Sign in
Account
On this page it say under Symptoms
The following can indicate that you have this threat on your PC:
You see these entries or keys in your registry
- Home
- Security software
- Malware encyclopedia
- Common malware types
- Trojans
- Exploits
- Ransomware
- Rogues
- Rootkits
- Worms
- Macro malware
- Malware reference
- Search the encyclopedia
- Top threats
- How we name malware
- Glossary
- How we identify threats
- Our research
- Latest research
- Malware research
- Conference papers
- Security Intelligence Report
- MMPC blog
- Enterprise
- Threat intelligence
- Threat reports - archive
- Help
- Software and updates
- Update Microsoft security software
- Security software FAQs
- Common error codes
- Why you should update
- Malware
- Advanced troubleshooting
- Prevent malware infections
- Malware and virus infections
- How does malware get on my PC?
- Other help topics
- MMPC help portal
- Windows XP end of support
- Is my Microsoft product genuine?
- Submit a file
- Submission help
- Submit a malware sample
- Developers
- Account
Trojan:Win32/Kovter
Trojan: Win32/Kovter
Also detected as:
- Severe
Trojan:Win32/Kovter
Alert level: Severe
First published: May 18, 2015This radar visually represents the alert level for this malware detection. The red color spreads throughout the disc to indicate whether a threat is moderate, high or severe.
Latest published: Jun 09, 2016
/**/>
- Summary
- What to do now
- Technical
information - Symptoms
The following can indicate that you have this threat on your PC:
- You see these entries or keys in your registry:
- In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1400"
With data: “0” - In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1400"
With data: “0”
- In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
The threat is already Quarantined on my Windows Defender so why do I still see these settings in my registry?
Windows Defender detects and removes this threat.
This malware family is well known for being tricky to detect and remove because of its file-less design after infection. They infect your PCs so malware perpetrators can perform click-fraud and install additional malware on your machines.
A trojan is a type of malware that can’t spread on its own. It relies on you to run them on your PC by mistake, or visit a hacked or malicious webpage.
They can steal your personal information, download more malware, or give a malicious hacker access to your PC.
Find out ways that malware can get on your PC.
What to do now
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:
You should change your passwords after you've removed this threat:
The Microsoft Active Protection Service (MAPS) uses cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10.
You can also see our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Top
Threat behavior
On top of the recent (seen between March to April 2016) Kovter Adobe Flash malvertising attack, we have also seen the trojan arrive as an attachment to spam emails. We have seen this malware being downloaded by TrojanDownloader:JS/Nemucod, for example:
- Sha1: 36e81f09d2e1f9440433b080b056d3437a99a8e1
- Md5: 74dccbc97e6bffbf05ee269adeaac7f8
When Kovter is installed, the malware will drop its main payload as data in a registry key (HKCU\\software\\<random_chars> or HKLM\\software\\<random_chars>). For example, we have seen it drop the payload into the following registry keys:
- hklm\software\oziyns8
- hklm\software\2pxhqtn
- hkcu\software\mpcjbe00f
- hkcu\software\fxzozieg
Kovter then installs JavaScript as a run key registry value using paths that automatically run on startup such as:
- hklm\software\microsoft\windows\currentversion\run
- hklm\\software\microsoft\windows\currentversion\policies\explorer\run
- hklm\software\wow6432node\microsoft\windows\currentversion\run
- hklm\software\wow6432node\microsoft\windows\currentversion\policies\explorer\run
- hkcu\\software\microsoft\\windows\currentversion\run
- hkcu\software\classes\<random_chars>\shell\open\command
The dropped JavaScript registry usually has the format: “mshta javascript: <malicious Kovter JavaScript>”.
When executed at startup, this JavaScript will load the Kovter payload data registry key data into memory and execute it. When executing in memory, the malware will also inject itself into legitimate processes including:
- iexplorer.exe
- explorer.exe
- regsvr32.exe
- svchost.exe
After installation, the malware will remove the original installer from the disk leaving only registry keys that contain the malware.
Lowers Internet security settings
It modifies the following registry entries to lower your Internet security settings:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1400"
With data: “0”
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1400"
With data: “0”
Sends your personal information to a remote server
We have seen this malware send information about your PC to the attacker, including:
- Antivirus software you are using
- Date and time zone
- GUID
- Language
- Operating system
It can also detect some specific tools that you are using in your PC and sends that information back to the attacker:
- JoeBox
- QEmuVirtualPC
- Sandboxie
- SunbeltSandboxie
- VirtualBox
- VirtualPC
- VMWare
- Wireshark
Click-fraud
This threat can silently visit websites without your consent to perform click-fraud by clicking on advertisements. It does this by running several instances of Internet Explorer in the background.
Download updates or other malware
This threat can download and run files. Kovter uses this capability to update itself to a new version. This update capability has been used recently to install other malware such as:
Analysis by Geoff McDonald and Duc Nguyen
Prevention
Take these steps to help prevent infection on your PC.
Top
TRAN
Bing Translator
English
Translating...
Bing Translator
COPY THE URL BELOW
Back
EMBED THE SNIPPET BELOW IN YOUR SITE
Enable collaborative features and customize widget: Bing Webmaster Portal
Back
English
Afrikaans German Polish
Arabic Greek Portuguese
Bosnian (Latin) Hebrew Romanian
Bulgarian Hindi Russian
Catalan Hungarian Serbian (Cyrillic)
Chinese Simplified Indonesian Slovak
Chinese Traditional Italian Slovenian
Croatian Japanese Spanish
Czech Kiswahili Swedish
Danish Korean Thai
Dutch Latvian Turkish
English Lithuanian Ukrainian
Estonian Malay Urdu
Finnish Norwegian Bokmål Vietnamese
French Persian Welsh
ORIGINAL:
Arabic Greek Portuguese
Bosnian (Latin) Hebrew Romanian
Bulgarian Hindi Russian
Catalan Hungarian Serbian (Cyrillic)
Chinese Simplified Indonesian Slovak
Chinese Traditional Italian Slovenian
Croatian Japanese Spanish
Czech Kiswahili Swedish
Danish Korean Thai
Dutch Latvian Turkish
English Lithuanian Ukrainian
Estonian Malay Urdu
Finnish Norwegian Bokmål Vietnamese
French Persian Welsh
ORIGINAL:
Translating...
Bing Translator
COPY THE URL BELOW
EMBED THE SNIPPET BELOW IN YOUR SITE
Enable collaborative features and customize widget: Bing Webmaster Portal
Back
Continue reading...