Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

You are here:ThreatsVirus and threats descriptionsKozog

Kozog


Aliases:

Kozog
DDoS_Kozog, DDoS.Kozog, Kozirog

Malware

W32

Summary

Kozog is Win32 DDoS (Distributed Denial of Service attack) trojan that was distributed by a hacker (or hackers group) in November 2000. The trojan was sent as email messages with attached file.



Disinfection & Removal

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The message text and header looked like that:

 --------------------------------------------------------
 From: World Travel Agency Ltd. [office4@worldtravel.com]
 Sent: November 21, 2000 5:31 PM
 To: All tourists and vacationist
 Subject: Celebrate the New Millenium!
  World Travel Agency Ltd.
  359 BTC Drive
  P.O. Box 134108
  Seattle, WA 98108-23
  USA
 Dear Sir/Madam
 Celebrate the New Millenium! Discover the Paradise!
 We offer the most attractive package for the New Millenium celebrations you have ever seen.
 Pure nature, modern architecture and high technologies are fused to create the perfect resort.
 Reasonable prises, correctness, high quality services.
 Click on the zip-file below to see our offer!
 Make your neighbours envy!
 Best Regards,
 --------------------------------------------------------

The attached file intends to be displayed as ZIP archive, but it is Windows EXE file with the name: 

 "OFFER2001.ZIP  [many spaces]  .EXE"

This is trojan's "installer" that will affect computer if it is run. Because of "[spaces]" trick it will be displayed as .ZIP file in many cases, and that can tempt a user to open it.

When the EXE file (trojan's installer) is run, it extracts from itself two more executable files and copies them to Windows system director with names: 

 MRE.DLL
 SOUNDV.EXE

Under Win9x and WinNT these files are registered then in auto-run sections in different ways: under WinNT the trojan registers SOUNDV.EXE file in system registry:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run soundv.exe Under Win9x the DLL file is registered in SYSTEM.INI file in [boot] section: 

  drivers=mre.dll

The trojan then displays fake error message:

 Error
 A requred DLL does not exist.

(original spelling from a trojan's messagebox).

The SOUNDV.EXE file is the DoS trojan itself. The MRE.DLL is a small program that just executes the SOUNDV.EXE on each run. As a result under both Win9x and WinNT the SOUNDV.EXE component will be activated.

When this file is run (on next Windows restart) it will stay active as hidden application (service), then it enables auto-dial option in Internet settings, then performs DoS attack on the Bulgarian server "kozirog.netissat.net".






Technical Details: Kaspersly Labs and F-Secure Teams; November 2000



Submit a sample

Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)



Submit

F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.



Go to Community