Kelihos: A good job for good pay!

Kelihos, is considered the HIV of all malware. This Trojan is really famous, and has been on TV and other media news reports and even has its own Wikipedia entry – http://en.wikipedia.org/wiki/Kelihos_botnet .

The Kelihos family of Trojans is not only huge, but it is also impossible to conclude all its symptoms nor show all email messages it posts because its variants are just too different from one another. Tens of thousands of samples are received by our lab almost on a daily basis.

The main purpose of this Malicious family is to send spam emails, as much as it can.

Once executed, the Trojan scans all possible files on infected machine in order to discover hardcoded email addresses, which it uses to send tons of messages to each address found.

The subject and email-body of these messages varies. From “A good job with a good pay!” to “Meeting schedulers” and “Boston marathon bombing”.

Many of these email messages contain links to malicious sites and social engineering tricks to make ingenuous individuals clicking on them.

This way new systems get infected all over the place.

Most variants of this Trojan use multiple malicious techniques to perform their payload:

–    Download and execute other files (Downloader)

–    Gain backdoor access (Backdoor)

–    Steals information from infected system (Password stealer)

–    Install legal software to help its own operations

–    Add registry keys to be executed on each Windows restart

–    Can be operate as a peer-to-peer Botnet

–    Various encryption techniques

–    Acts like a proxy server

–    Spy after keystrokes (Key logger)

–    Terminate computer security applications (terminate processes and even delete from disk)

–    Creates new Window user’s account and operate with administrator privileges

–    Uses registry to save encrypted information

Up until this moment, this dangerous Family is still very much active, although it has been several years since first seen. In any case, we consider this Trojan family as global threat (globally distributed) and very dangerous system infection. The main advice is to keep an eye on suspicious e-mails like the following, and always have a reliable security product installed.