Virus Detail

Win32.Kol.G

Date Published:
17 Dec 2004

Last Updated:
5 Jan 2005

Threat Assessment

Overall Risk: Very Low

Wild: Low

Destructiveness: Low

Pervasiveness: None

Characteristics

Type : Trojan

Category : Win32

Also known as: BackDoor-AWV (McAfee), W32/Banker.CM (F-Prot), BKDR_HACDEF.K (Trend), Win32/Kol.F.Trojan, Backdoor.Trojan (Symantec), Backdoor.Win32.Zins.gen (Kaspersky), Win32/Zins.C (NOD), Troj/Zins-A (Sophos)

Immediate Protection Info

Signature	Product	Removal Instructions
23.67.44	eTrust Antivirus v7/8* (InoculateIT Engine)	View
11.x/8719	eTrust Antivirus v7/8* (Vet Engine)	View
6.1x/5861	eTrust EZ Antivirus 6.1x	View
6.2x/8719	eTrust EZ Antivirus 6.2x	View
6.3x/8719	eTrust EZ Antivirus 6.3x	View
10.5x/5861	Vet Anti-Virus 10.5x	View
10.6x/8719	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Payload

Description

Win32.Kol.G is a keylogging trojan with backdoor functionality.

Method of Infection

When the Kol.G trojan is executed, it copies itself to "%System%\logon.exe".

Note: '%System%' is a variable location. The trojan determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Initially, it removes the following values from the registry (some of which are later reinstalled by the trojan as required):

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aux.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\logon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aux.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\logon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\logon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\logon.exe

The trojan then sets the following registry values so that "logon.exe" is executed at each Windows start:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\logon.exe = "%System%\logon.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\logon.exe = "%System%\logon.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\logon.exe = "%System%\logon.exe"

Kol.G also creates the following registry key to store values it uses for its own purposes:

HKLM\SOFTWARE\Microsoft\Kernel

Payload

Keylogging and Stealing Sensitive Information

Kol.G logs key strokes that are entered by the user into particular windows (enabling it to save information such as account details and passwords); these logs can be e-mailed to a remote attacker. The trojan monitors the affected machine, activating the keylogging function whenever the user opens a window that contains one of the following strings in its title:

alliance & leicester internet banking
barclays ibank
building society - internet
digital banking
egg security login
enter memorable
first direct internet banking
hsbc internet banking
natwest
online service
woolwich internet

The trojan creates the file "%System%\z_ins.lg" to log the keys strokes entered. The directory "%System%\uninst" is also created by the trojan to store snapshots of the above windows. The snapshots are saved as jpg image files.

The trojan also searches for the following strings in all ".doc" and ".txt" files located on the C: drive

BARCLAYS
NATWEST
LLOYDS
WESTPAC
COMMONWEALTH BANK OF
MEMORABLE WORD
MEMORABLE INFORMATION
MEMBERSHIP NUMBER
PASSCODE
SECURITY NUMBER

If any of the above strings are found in the forementioned files, the trojan copies the contents of the file to the log file %System%\w_ins.lg.

The trojan searches for the following files in the %Windows% directory

regsrv32.log
regsrv32.lgx

If found, the trojan copies these files to the directory "%System%\uninst" with an ".add" extension appended to them. These files are then e-mailed to a remote location.

Note: '%Windows%' is a variable location. The trojan determines the location of this folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

Finally, the trojan searches the "My Documents" folder for any file with the following strings in their name

password
account

and checks whether the files use the following extensions:

doc
zip
rar
txt
xls

If any such files are found by the trojan, they are e-mailed to a remote location.

Note: The trojan obtains the "My Documents" folder path by querying the following registry entry.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SHELL FOLDERS\Personal

Backdoor Functionality

Kol.G contains backdoor functionality that allows a remote user to:

Check for, download and execute an updated version of itself from a specified URL (downloaded as "%System%\uninst.exe")
Note: When updated, the trojan deletes previous Kol variants by deleting the file "%System%\hzuninstz.exe" if it exists
Completely remove itself by executing the batch file "hzuninst.bat" (created in the %Windows% directory) and removing its associated registry entries
Upload the window snapshots located in "%System%\uninst" to an FTP Server
Retrieve System information
Add/Remove registry keys
Terminate Services and Processes

Stops Services

The trojan attempts to stop services that contain the following strings in their names:

agnitum
ad-aware
atguard
avp32
avpm
black ice
blackd
drweb
firewall
iamapp
kavlite
minilog
nav
nisserv
outpost
rapapp
spider
spysweeper
vsmon
zonealarm