Win32/Talkhib [Threat Name] go to Threat

Win32/Talkhib.A [Threat Variant Name]

Category trojan
Size 158872 B
Detection created Aug 03, 2015
Detection database version 12037
Aliases Trojan-Downloader.Win32.Upatre.eeid (Kaspersky)
  Trojan:Win64/Talkhib.A!dha (Microsoft)
Short description

Win32/Talkhib.A is a trojan which tries to download other malware from the Internet. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %windir%\­code (8192 B)
  • %windir%\­data (13824 B)
  • %windir%\­driver32.dat (5833 B)
  • %windir%\­driver64.dat (5934 B)
  • %windir%\­install32.dll (5242880 B, Win32/Talkhib.A)
  • %windir%\­install64.dll (5242880 B, Win64/Talkhib.A)
  • %windir%\­move.dat (3584 B)
  • %windir%\­svchost.dat (16,384 B)
  • %windir%\­system32\­drivers\­CRYPTBASE.dll (5242880 B, Win32/Talkhib.A)
  • %windir%\­syswow64\­drivers\­CRYPTBASE.dll (5242880 B, Win64/Talkhib.A)
  • %windir%\­md5.txt
  • %windir%\­key.txt
  • %windir%\­temp\­URL.DAT

The trojan registers itself as a system service using the following name:

  • WebDNS

This causes the trojan to be executed on every system start.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­WebDns]
    • "ImagePath" = "%windir%\­System32\­svchost.exe -k netsvcs"
    • "ObjectName" = "LocalSystem"
    • "ErrorControl" = 1
    • "Start" = 2
    • "Type" = 16
    • "Description" = "WebDns"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­WebDns\­Parameters]
    • "ServiceDll" = "%windir%\­svchost"
  • [HKEY_CURRENT_USER\­Software\­svchost]
    • "install_path" = "%localappdata%\­temp\­svchost"
  • [HKEY_CLASSES_ROOT\­Software\­svchost]
    • "work_path" = "%localappdata%\­temp\­svchost"
  • [HKEY_USERS\­S-1-%variable1%\­Software\­Classes\­CLSID\­{B12AE898-D056-4378-A844-6D393FE37956}\­InProcServer32]
    • "(Default)" = "%localappdata%\­temp\­svchost\­install32.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_USERS\­S-1-%variable1%\­Software\­Classes\­CLSID\­{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\­InProcServer32]
    • "(Default)" = "%localappdata%\­temp\­svchost\­install64.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable2%]
    • "Type" = 1
    • "ImagePath" = "\­??\­%windir%\­driver32.dat"
    • "Start" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost]
    • "netsvcs" = "WebDNS"

A string with variable content is used instead of %variable1-2% .


The trojan creates copies of the following files (source, destination):

  • %windir%\­explorer.exe, %windir%\­svchost
  • %windir%\­system32\­sysprep\­sysprep.exe, %localappdata%\­temp\­svchost\­sysprep.exe
  • %localappdata%\­temp\­svchost\­sysprep.exe, %windir%\­system32\­drivers\­sysprep.exe
  • %localappdata%\­temp\­svchost\­sysprep.exe, %windir%\­syswow64\­drivers\­sysprep.exe

Win32/Talkhib.A replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.


The trojan writes its own data to the end of the physical drive.

Other information

Win32/Talkhib.A is a trojan which tries to download other malware from the Internet.


The trojan contains a list of URLs.


It tries to download a file from the addresses.


The file is stored in the following location:

  • %windir%\­svchost.tmp

The file is then decrypted and executed. The HTTP protocol is used in the communication.


The trojan behaves differently if any of the following Registry keys/values is detected:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "kxesc"
  • [HKEY_CURRENT_USER\­Software\­KasperskyLab]

The trojan behaves differently if it detects a running process containing one of the following strings in its name:

  • avp

The trojan contains both 32-bit and 64-bit program components.


The trojan hides its presence in the system.


It uses techniques common for rootkits.


The trojan executes the following files:

  • %windir%\­system32\­rundll32.exe %localappdata%\­temp\­svchost\­install32.dll real_work
  • %windir%\­system32\­drivers\­sysprep.exe
  • %windir%\­syswow64\­drivers\­sysprep.exe
  • %windir%\­explorer.exe
  • %system%\­svchost.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • %system%\­svchost.exe

The trojan executes the following commands:

  • ping 127.0.0.1
  • ipconfig /release
  • ipconfig.exe /renew

The trojan creates the following temporary files:

  • %localappdata%\­temp\­svchost\­code (8192 B)
  • %localappdata%\­temp\­svchost\­data (13824 B)
  • %localappdata%\­temp\­svchost\­driver32.dat (5833 B)
  • %localappdata%\­temp\­svchost\­driver64.dat (5934 B)
  • %localappdata%\­temp\­svchost\­install32.dll (5242880 B, Win32/Talkhib.A)
  • %localappdata%\­temp\­svchost\­install64.dll (5242880 B, Win64/Talkhib.A)
  • %localappdata%\­temp\­svchost\­kernel32.dat (9474 B)
  • %localappdata%\­temp\­svchost\­kernel64.dat (10341 B)
  • %localappdata%\­temp\­svchost\­move.dat (3584 B)
  • %localappdata%\­temp\­svchost\­svchost.dat (16384 B)
  • %localappdata%\­temp\­svchost\­svchost.dll (1382 B)
  • %localappdata%\­temp\­svchost\­CRYPTBASE.dll (5242880 B, Win32/Talkhib.A)
  • %localappdata%\­temp\­svchost\­CRYPTBASE.dll (5242880 B, Win64/Talkhib.A)
  • %windir%\­kernel32.dat (9474 B)
  • %windir%\­kernel64.dat (10341 B)
  • %windir%\­svchost.dll (1382 B)
  • %windir%\­svchost.tmp.tmp

The trojan may delete the following Registry entries:

  • [HKEY_CLASSES_ROOT\­CLSID\­{ECD4FC4D-521C-11D0-B792-00A0C90312E1}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{B12AE898-D056-4378-A844-6D393FE37956}]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable2%]

Please enable Javascript to ensure correct displaying of this content and refresh this page.