Threat Descriptions

Trojan-Downloader:W32/KDV-176347

Classification

Category :

Malware

Type :

Trojan-Downloader

Platform :

W32

Aliases :

Trojan-Downloader:W32/KDV-176347, Trojan.generic.kdv.176347, Trojan-Downloader.Win32.Agent.gctp

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This trojan is disguised as a DOC file. Upon executing the trojan, it will download a document from a remote site (hxxp://www.epof.ru/[...]/document.doc) and display it, furthering the deception that the trojan is legitimate. Below is a screenshot of the document displayed:

In the meantime, the trojan will attempt to download malicious files from the following URLs:

  • hxxp://www.epof.ru/[...]/load.php?file=0
  • hxxp://www.epof.ru/[...]/load.php?file=1
  • hxxp://www.epof.ru/[...]/load.php?file=2
  • hxxp://www.epof.ru/[...]/load.php?file=3
  • hxxp://www.epof.ru/[...]/load.php?file=4
  • hxxp://www.epof.ru/[...]/load.php?file=5
  • hxxp://www.epof.ru/[...]/load.php?file=6
  • hxxp://www.epof.ru/[...]/load.php?file=7
  • hxxp://www.epof.ru/[...]/load.php?file=8
  • hxxp://www.epof.ru/[...]/load.php?file=9
  • hxxp://www.epof.ru/[...]/load.php?file=uploader
  • hxxp://www.epof.ru/[...]/load.php?file=grabbers

At the time of writing, the domain contacted by the malware is blocked by the Browsing Protection feature of our product.