Virus Information provided by ZoneAlarm
Virus Information powered by Computer Associates
Virus Name: Knooth.E
Pervasiveness:  
1 of 5
Destructiveness:  
4 of 5
Wildness:  
2 of 5
Type: Trojan
Aliases: [Win32.]Knooth.E; [TrojanDownloader.]Win32.Small.cy (Kaspersky); [Downloader-]GS (McAfee); [Win32/]Megabee.Trojan;
 
Date Modified: 26-Feb-2004
Date Published: 24-Feb-2004
 
Description:

Win32.Knooth.E is a backdoor trojan that gives its controller unauthorized access to a victim's machine.

Method of Installation

When executed from its current directory it drops child.dll in the %System% directory. If this fails and the affected system uses NT, 2000 or XP, it places the child.dll file in the %AppData%\Microsoft directory.

Note: '%System%' is a variable location. The backdoor determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32. %AppData% is also a varaible location. The default location for this directory on Windows NT, 2000 or XP is C:\Documents and Settings\<current user name>\Application Data. The location of %AppData% is defined by the stored value of this registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\AppData

It creates the following registry keys and values (depending on where the child.dll file was dropped):

HKCR\CLSID\{3F143C3A-1457-6CCA-0 3A7-7AA23B61E40F}\InProcServer32 = "%System%\child.dll"
Or
HKCR\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32 = "%AppData%\Microsoft\child.dll"

HKCR\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32\ThreadingModel = "Apartment" 

It also changes the value of the following registry key to that listed below.
On Windows 9x Systems:
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\OLE Automation Module  = "{3F143C3A-1457-6CCA-03A7-7AA23B61E40F} "
On Windows NT/2000/XP Systems:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F} = "OLE Automation Module "

Knooth also attempts to delete the following registry key if it exists.
On Windows 9x Systems:
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Advanced Features
On Windows NT/2000/XP Systems:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\Advanced Features

It then loads the DLL file using rundll32.exe. Finally this executable is removed as it is no longer required for the trojan's operation.

Payload

Backdoor Functionality

Win32.Knooth.E listens on a random port (>1500) for an incoming connection. It then attempts to make an outbound connection on port 11040 to each of 8 predefined hosts. If it cannot connect to any of these hosts, it sleeps for 20 minutes before trying the connection procedure again.

Once connected the remote hacker can:

  • Download files from the Internet
  • Execute files
  • Open fi les
  • Use port forwarding
  • Retrieve the version information of the trojan
  • Download files from the host computer
  • Exit the trojan

Analysis by Paul Taylor



Top of page