Newer and More Capable KIVARS Malicious Program Attacks 64-Bit Computers, Says Trend Micro

Trend Micro the security company says that KIVARS is one of the many malware strains that are targeting computers having 64-bit OS.

Of late, the security company examined the malware and found that it was being spread via TROJ_FAKEWORD.A, an installer which installs dual .exe files along with one MS Word file onto contaminated computers.

And within the 32-bit OS, replicas of the executables get created inside "Windows System" directory having filenames iprips.dll that Trend Micro identified to be TROJ_KIVARSLDR as well as winbs2.dll identified to be BKDR_KIVARS. KIVARS' most recent variant is capable of attacking both 64-bit and 32-bit computers as it installs the stated components within the identical directory wherein the backdoor has an extension as .dat else .tib.

While utilizing RLO (right-to-left override) methodology, the installer also uses one original Word icon for the otherwise tainted file that has a password for protection as also works like a real decoy.

When run, TROJ_KIVARSLDR plants as well as runs BKDR_KIVARS. The backdoor then uploads/downloads files, executes/manipulates files, uninstalls anti-malware, deactivates/activates keylogger, captures screenshots, list drives, meddles with active windows (to hide or show), kick starts mouse clicks on right, left, or double left, along with starts off keyboard input.

The KIVARS backdoor also decodes its configuration/strings by utilizing an RC4 edition slightly altered. It appends one additional byte parameter as well as examines whether that byte equals or exceeds 80h. Incase that happens it'll append the byte onto the XOR'red output of RC4. The function is further utilized for decoding a key of 10h byte.

KIVARS' more fresh editions that include 64-bit and 32-bit versions have only minor differences after planted onto a target computer. An example is that of the installer as well as the backdoor it drops whose payloads actually contain arbitrary filenames.

The latest version of KIVARS transmits one arbitrarily generated packet as well following which one key that determines the CnC's response is generated. If the malware reads that response, it'd transmit the identical info, which RC4 encrypted. Nevertheless, here's a change viz. that the value of first four bytes happens to be the information's total size.

» SPAMfighter News - 7/14/2014