Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Katar.417052
Date discovered:30/06/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:417.052 Bytes
MD5 checksum:519342b1fa03d41984c2340cea2f430b
IVDF version:7.10.08.233 - Wednesday, June 30, 2010

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Mcafee: Generic Malware.bj trojan
   •  Panda: W32/Sohanat.KS
   •  Eset: Win32/AutoRun.Autoit.BJ
   •  Bitdefender: Trojan.AutoIT.AHQ


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %HOME%\My Documents\My Pictures\My Pictures.exe
   • %WINDIR%\Xplorer.exe
   • %HOME%\My Documents\My Music\My Music.exe
   • %HOME%\My Documents\My Music.exe
   • %TEMPDIR%\Nature.scr
   • %drive%\KHATRA.exe
   • %TEMPDIR%\download.exe
   • %HOME%\Local Settings\Application Data\Microsoft\CD Burning\KHATRA.exe
   • %HOME%\Local Settings\Application Data\Microsoft\CD Burning\Administrator.exe
   • %TEMPDIR%\Hacker.exe
   • %SYSDIR%\gHost.exe
   • %HOME%\Local Settings\Application Data\Microsoft\CD Burning\New Folder(3).exe
   • %TEMPDIR%\Administrator.scr
   • %SYSDIR%\KHATRA.exe
   • %TEMPDIR%\fhset267.exe
   • %TEMPDIR%\bikini02.scr
   • %TEMPDIR%\dmario.exe
   • %TEMPDIR%\kavSetup.exe
   • %HOME%\My Documents\My Pictures.exe
   • %WINDIR%\KHATARNAKH.exe
   • %TEMPDIR%\slideshow.exe
   • %TEMPDIR%\clean.exe



It deletes the initially executed copy of itself.



It deletes the following files:
   • %TEMPDIR%\cab7
   • %HOME%\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\desktop.ini
   • %HOME%\Start Menu\Programs\Startup\desktop.ini
   • %TEMPDIR%\cab9
   • %TEMPDIR%\kma58507.tmp
   • %TEMPDIR%\cab2
   • %TEMPDIR%\kma23069.tmp
   • %TEMPDIR%\cab6
   • %TEMPDIR%\cab5
   • %TEMPDIR%\cab4
   • %TEMPDIR%\aut1.tmp
   • %TEMPDIR%\kma93906.tmp
   • %TEMPDIR%\kma47137.tmp
   • %TEMPDIR%\cab11
   • %TEMPDIR%\cab10
   • %TEMPDIR%\kma18334.tmp
   • %TEMPDIR%\kma70143.tmp
   • %TEMPDIR%\cab8
   • %TEMPDIR%\kma21642.tmp
   • %TEMPDIR%\kma33907.tmp
   • %TEMPDIR%\cab3
   • %TEMPDIR%\aut2.tmp
   • %TEMPDIR%\kma12467.tmp
   • %TEMPDIR%\kma78450.tmp



The following files are created:

– %WINDIR%\inf\Autoplay.inF This is a non malicious text file with the following content:
   • %code that runs malware%

– %HOME%\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF This is a non malicious text file with the following content:
   • %code that runs malware%

– %ALLUSERSPROFILE%\Start Menu\Programs\Startup\(Empty).LNK This is a non malicious text file with the following content:
   • %code that runs malware%

– %drive%\Autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– %TEMPDIR%\cab9
– %TEMPDIR%\cab3
– %WINDIR%\mario675.cab
– %TEMPDIR%\kma12467.tmp
– %WINDIR%\New WinZip File.cab
– %WINDIR%\CyberWar.cab
– %WINDIR%\supermodels.cab
– %TEMPDIR%\cab11
– %TEMPDIR%\cab10
– %TEMPDIR%\kma70143.tmp
– %WINDIR%\new-screamsaver.com.cab
– %TEMPDIR%\kma23069.tmp
– %WINDIR%\fh_antivirussetup6534.cab
– %WINDIR%\K.Backup\C_Drive_Documents and Settings_All Users_Start Menu_Programs_Startup_desktop.ini.FUCKED
– %WINDIR%\K.Backup\C_Drive_Documents and Settings_Administrator_Start Menu_Programs_Startup_desktop.ini.FUCKED
– %TEMPDIR%\kma18334.tmp
– %TEMPDIR%\kma93906.tmp
– %TEMPDIR%\kma47137.tmp
– %TEMPDIR%\kma33907.tmp
– %TEMPDIR%\aut1.tmp
– %TEMPDIR%\kma58507.tmp
– %WINDIR%\New WinRAR archive.cab
– %WINDIR%\kavSetupEng3857.cab
– %TEMPDIR%\aut2.tmp
– %TEMPDIR%\kma21642.tmp
– %WINDIR%\Youtube.cab
– %TEMPDIR%\kma78450.tmp
– %TEMPDIR%\cab2 Further investigation pointed out that this file is malware, too. Detected as: TR/Katar.417052

– %TEMPDIR%\cab7
– %TEMPDIR%\cab6
– %TEMPDIR%\cab5
– %TEMPDIR%\cab4 Further investigation pointed out that this file is malware, too. Detected as: TR/Katar.417052

– %TEMPDIR%\cab8
– %WINDIR%\New WinRAR ZIP archive.cab



It tries to executes the following files:

– Filename:
   • %SYSDIR%\KHATRA.exe


– Filename:
   • netsh firewall add allowedprogram program=%SYSDIR%\KHATRA.exe name=System


– Filename:
   • %SYSDIR%\cmd.exe /C MakeCab %TEMPDIR%\bikini02.scr %TEMPDIR%\kma47137.tmp


– Filename:
   • MakeCab %TEMPDIR%\bikini02.scr %TEMPDIR%\kma47137.tmp


– Filename:
   • %SYSDIR%\cmd.exe /C MakeCab %TEMPDIR%\ADMINI~1.SCR %TEMPDIR%\kma33907.tmp


– Filename:
   • MakeCab %TEMPDIR%\ADMINI~1.SCR %TEMPDIR%\kma33907.tmp


– Filename:
   • %SYSDIR%\cmd.exe /C MakeCab %TEMPDIR%\Nature.scr %TEMPDIR%\kma21642.tmp


– Filename:
   • MakeCab %TEMPDIR%\Nature.scr %TEMPDIR%\kma21642.tmp


– Filename:
   • %SYSDIR%\cmd.exe /C MakeCab %TEMPDIR%\fhset267.exe %TEMPDIR%\kma58507.tmp


– Filename:
   • MakeCab %TEMPDIR%\fhset267.exe %TEMPDIR%\kma58507.tmp


– Filename:
   • %SYSDIR%\cmd.exe /C MakeCab %TEMPDIR%\dmario.exe %TEMPDIR%\kma18334.tmp


– Filename:
   • "%WINDIR%\Xplorer.exe" /Windows


– Filename:
   • MakeCab %TEMPDIR%\dmario.exe %TEMPDIR%\kma18334.tmp


– Filename:
   • %SYSDIR%\cmd.exe /C MakeCab %TEMPDIR%\kavSetup.exe %TEMPDIR%\kma12467.tmp


– Filename:
   • MakeCab %TEMPDIR%\kavSetup.exe %TEMPDIR%\kma12467.tmp


– Filename:
   • %SYSDIR%\cmd.exe /C MakeCab %TEMPDIR%\download.exe %TEMPDIR%\kma78450.tmp


– Filename:
   • MakeCab %TEMPDIR%\download.exe %TEMPDIR%\kma78450.tmp


– Filename:
   • %SYSDIR%\cmd.exe /C MakeCab %TEMPDIR%\Hacker.exe %TEMPDIR%\kma23069.tmp


– Filename:
   • MakeCab %TEMPDIR%\Hacker.exe %TEMPDIR%\kma23069.tmp


– Filename:
   • %SYSDIR%\cmd.exe /C MakeCab %TEMPDIR%\clean.exe %TEMPDIR%\kma70143.tmp


– Filename:
   • MakeCab %TEMPDIR%\clean.exe %TEMPDIR%\kma70143.tmp


– Filename:
   • %SYSDIR%\cmd.exe /C MakeCab %TEMPDIR%\SLIDES~1.EXE %TEMPDIR%\kma93906.tmp


– Filename:
   • "%SYSDIR%\gHost.exe" /Reproduce


– Filename:
   • MakeCab %TEMPDIR%\SLIDES~1.EXE %TEMPDIR%\kma93906.tmp


– Filename:
   • %SYSDIR%\cmd.exe /C AT /delete /yes


– Filename:
   • AT /delete /yes


– Filename:
   • %SYSDIR%\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %SYSDIR%\KHATRA.exe


– Filename:
   • AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %SYSDIR%\KHATRA.exe


– Filename:
   • %SYSDIR%\cmd.exe /C RegSvr32 /S %SYSDIR%\avphost.dll


– Filename:
   • RegSvr32 /S %SYSDIR%\avphost.dll


– Filename:
   • %SYSDIR%\cmd.exe /C netsh firewall add allowedprogram program=%SYSDIR%\KHATRA.exe name=System

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Taskman"="%SYSDIR%\KHATRA.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Xplorer"=""%WINDIR%\Xplorer.exe" /Windows"



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\KHATRA.exe"="%SYSDIR%\KHATRA.exe:*:Enabled:System"



The following registry keys are added:

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   • "Window Title"="Internet Exploiter"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"=dword:0x00000001

– [HKCU\Software\Nico Mak Computing\WinZip\caution]
   • "NoUnsafeTypeCautionForEXE"="1"
   • "NoUnsafeTypeCautionForSCR"="1"

– [HKLM\SYSTEM\CurrentControlSet\Services\Schedule]
   • "AtTaskMaxHours"=dword:0x00000000

– [HKLM\SOFTWARE\KHATRA\Startup_List]
   • "Xplorer"=""%WINDIR%\Xplorer.exe" /Windows"
   • "ctfmon.exe"="%SYSDIR%\ctfmon.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NoControlPanel"=dword:0x00000001



The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:0x00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\ProtectedStorage]
   New value:
   • "Start"=dword:0x00000004

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   New value:
   • "CheckedValue"=dword:0x00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\TermService]
   New value:
   • "Start"=dword:0x00000002

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   New value:
   • "%user defined settings%"="%WINDIR%\Xplorer.exe"
   • "%user defined settings%" = "%WINDIR%\Xplorer.exe"

– [HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr]
   New value:
   • "Start"=dword:0x00000002

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   New value:
   • "Load"="%SYSDIR%\KHATRA.exe"

– [HKLM\SYSTEM\CurrentControlSet\Services\upnphost]
   New value:
   • "Start"=dword:0x00000002

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NoDriveTypeAutoRun"=dword:0x000000ff

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, July 9, 2010
Description updated by Petre Galan on Friday, July 9, 2010

Back . . . .