W32.Kotef


Aliases: Virus.Win32.HLLW.Karimex, Win32.HLLW.Karimex, W32/Kotef.worm, Win32.HLLW.Generic.4, Troj/Kotef-A
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 01 Aug 2002
Damage: Low

Characteristics: W32.Kotef is a Trojan horse that attempts to copy itself as the files: C:\Korea.exe, C:\Windows\Korea.exe, C:\Japan.exe, C;\Winnt\Korea.exe, and C:\Windows\Startm~1\Programs\Startup\Ktf.exe. It also attempts to modify the file Autoexec.bat and copies the file A:\Secret.exe to C:\Korea.exe.

More details about W32.Kotef

When W32.Kotef is executed, it displays a dialog box with two buttons. If one of the pictures is clicked, a picture file is displayed by the Trojan. Clicking the other picture will cause the Trojan to copy the binary code starting at offset 32768 of the Trojan file to the end of the Trojan file. Then, it copies this into a file that has the same name as the original file. However, the file has a VIR extension. The Trojan also attempts to add a new value to the registry. It then attempts to create the file C:\Run32.vbs and adds two URL link files to the Windows desktop. The first URL file contains a link to the virus author's website. The second contains a link to send mail to the author of the virus.

This Trojan also attempts to create the file C:\RunVbs.bat. This file executes C:\Run32.vbs. Moreover, the W32.Kotef program is reported to collect information on the victim’s Web activity. It becomes possible when the malware has already downloaded and installed spyware in the infected computer. Some reports claim that it may only download adware which may show annoying advertisements. Installation of the W32.Kotef program is reported to use security flaws on the infected computers. It may find vulnerabilities on certain applications and use these vulnerabilities to download and install itself on the system. Many documents state that this method allows the malware to be installed to function without alarming the user.