Aliases: Win32.Kassbot.D, Backdoor.Win32.Delf.zq, BackDoor.d, W32/KassbotD, BKDR_KASSBOT.D
Variants: Net-Worm.Win32.Nanspy.d, Generic.Delphi.b, Trojan.DownLoader.3636, W32/Nanpy-C 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 19 May 2005
Damage: Medium

Characteristics: The W32.Kassbot.A malware is network aware worm. This worm can open a backdoor in the infected computer via IRC. It can monitor for access to particular financial websites and logs keystrokes when these sites are visited. In the event that one of the websites monitored by the malware is visited, it will either display or redirect to a fake login page. It will then prompt the user to type in personal details such as username and password.

More details about W32.Kassbot.A

Upon execution in the target machine, the W32.Kassbot.A worm will copy itself as an Exe file in the system and will drop a log and dll file. This dll file is supposedly a hack tool. It will add a specific value to a registry subkey so that it executes when Windows launches. It the proceeds to keep track of the Internet connection so that it will know when access to the many financial websites it is monitoring has been established. All the information typed by the user will then be logged in a keylog file. This worm will also connect through the 1051 and higher TCP ports to a predefined IRC server to a specific domain. This connection will provide a remote hacker with the means to carry out a host of malicious tasks on the machine.

The malicious tasks that can be performed by the W32.Kassbot.A worm with the help of a remote hacker include setting up a proxy and server and logging all keystrokes of the user. It can likewise make the machine participate in DDoS or distributed denial of service attacks. The worm can also retrieve and run files which may have the worm’s updated version and pose as an email relay that can permit remote hackers to route email messages. It can likewise start, stop and list services and process, reroute HTTP traffic to other websites and alter, execute, and delete entire folders and files. This worm also alters the Hosts file by adding specific lines to block access to the particular hosts, of which some may be security associated.