Trojan.Win32.Kitkar

Discussion in 'Trojan Defence Suite' started by Devinco, Oct 12, 2004.

Thread Status:
Not open for further replies.
  1. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Everyone,

    A friend of mine seems to have picked up Trojan.Win32.Kitkar. Probably from some infected shareware or freeware.
    It is a WinXP Pro machine with TDS-3 (Process Memory Space scan was the only option off at the time of detection).
    It was noticed during a reboot after installation of some freeware.
    She happened to notice the Positive Identification in the TDS-3 window:
    Trojan.Win32.Kitkar in c:\windows\system32\srvreg.exe

    I was called over to the scene. In TDS-3, I right clicked the file to delete. It said it was running in memory and asked to terminate from memory, which I did. I right clicked it again to delete.
    I then rebooted in safe mode and scanned the whole computer with (Process Memory Space Scan).
    It did not turn up anything else or the dropper executable.
    I don't know how long it was on the system, but it was most likely very recent. NOD32 missed it.
    I rebooted and searched in regedit for srvreg. It came up with 3 instances of srvreg.exe, one of them in HKU\...\CurrentVersion\Run. I deleted all registry instances of srvreg.exe.

    I searched the web for more info on Kitkar and only came up with the Pest Patrol site.
    Is their a good site that lists this trojan along with recommended removal procedures besides Pest Patrol?
    What else do you think should be done to check if there are any remnants left?
    What can I do next time to improve my detection/removal procedure?
    When this trojan executes, does it remove the dropper? Because I couldn't find the dropper program.

    Thanks
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Devinco,
    Could it be a part of the actual dowloaded free / sharware?
    Always scan downloads before they are run, in this way TDS may have picked up the dropper program.

    Regarding other ways of cleaning up, I suppose HJT and or AutoStart Viewer would be good tools to help track things down.

    You could also use Advanced Process Manipulation and Advaced Process Termination (DCS free tools) in such circumstances.

    My preferred method now a days is prevention rather than cure the new version of Process Guard will fit the bill as it will stop untrusted programs from executing. Most modern RATS require a program to run to infect.
    Also the latest version will stop the installation of drivers / services which is another method used by malware. Rootkits and keyloggers are stopped easily also.
    The new learning mode makes stting up PG a breeze although this should always be installed on a "clean" system

    So prevention then as a second stop AV & AT
     
  3. rodsoto

    rodsoto Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    77
    Location:
    Australia
    Also during your scan, did you select 'Advanced Deep-Search'o_O This scans in every executable file for possible unknown binded programs.... So if there is an Unknown Binder that is released (which means it may be bypassed by the 'binded executables' option) selecting the 'Advanced Deep-search' will scan every executable for possible trojans inside another executable...scanning is a lot longer, but quite efficient... It will tell you it has found KitKar in another executable.

    I also do agree with Pilli here though, if you have Process Guard installed, you will notice strange behavior which should alarm you of something going on.

    IE, you execute the freeware/shareware program which you think has the file inside... after you execute it, PG will alarm to allow execution. NEXT, if there's ANOTHER executable inside, PG will also alarm you of THAT execution. Giving an indication that the trojan was inside the previous program, and thus trying to unpack and execute the next program.... If you allow the next instance to run, and you have TDS-3 loaded with execution protection enabled, TDS-3 will alarm you of the infected file...... you have then found your initial culprit.
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    As far as I know this one is a self contained pest

    It is just the one file SRVREG.exe and it appears to be a possible premium rate dialler

    It's not widespread and seems to be mainly on french speaking computers
    where it comes from no-one seems to know but I suspect it's probably a file sharing thing seeing the google search results on it
     
  5. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Pilli,

    Yes it could be part of the download, but I did a full system scan in safe mode (with all options) and it didn't detect the dropper. It is possible that it is somehow packed well inside the download. I will do a search for all her most recently downloaded files and have a closer look at each one.

    Thank you for the advice on the other tools. I used the AutoStart Viewer within TDS-3, but is the stand alone viewer superior?
    I will look at the other tools as well.
    I agree about prevention. She only scanned the download with NOD32 (at least that was done).
    So far I have been able to convince her to get TDS-3, perhaps now she will scan every download with TDS-3 as well. And maybe I can convince her to get PG.

    Thanks! :)
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, It is a later version than the one in TDS3 with more autostarts included in it's detection, there is a way to change TDS to see the new version but the instructions allude me ATM :)

    Cheers. Pilli
     
  7. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi RodSoto,

    Yes, I scanned with all the options including advanced deep search. It did not seem to pick the dropper or binder.
    How does TDS-3 normally alert you with execution protection on?
    Does the TDS-3 window automatically pop up?
    It was noticed in TDS-3 on a reboot directly after a freeware installation (the installation required a reboot). Perhaps during the installation, it dropped it in system32 but didn't execute and just changed the registry.

    Thank you for the advice. I have been appreciating PG power, perhaps this will be a good excuse for her to get it. :)
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks Pilli!
     
  9. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi dvk01,

    Thank you for the information. I had searched google, but didn't come up with much. Is there a good place to look up specific trojans?
    Fortunately she has no modem, just a LAN connection and cable access.
    She might have downloaded a software with a french connection (not that it is the cause!). She does not do any file sharing.

    Thank you! :)
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It is almost useless to search by trojan name as each antivirus/antitrojan company has it's own naming formula and they rarely match

    It's much better to search by the file name and over 90% of the hits on this one are in french so it appears not very widespread but quite easy to remove
     
  11. rodsoto

    rodsoto Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    77
    Location:
    Australia
    Ok first TDS-3 needs to be loaded.... execution protection enabled...(licensed users only). When you execute a file that is infected, it will not be allowed to execute, however if you maximis TDS-3, it will state in there the file that was detected as malware.
     
  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    TDS-3 was set up with execution protection. She never touches the settings to change them. There is no test like in WormGuard to see if Exec Prot is really running. I assume it was running, but I am not sure. I did Install Exec Prot again from TDS-3 just in case. I know the trojan had to have executed because TDS-3 said it needed to terminate it from memory before it could delete it and it did add registry entries. So either Exec Prot was not installed for some reason, or it didn't stop it.
    I am now running the recently downloaded files to see if it can be reproduced.

    Thanks RodSoto!
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Devinco, One other thing you should know about Execution Protection, if you do not already, is that TDS must be running, either showing the GUI or minimised to the Sys tray for Execution Protection to be active.

    HTH Pilli
     
  14. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks Pilli,

    That is good to know. It was running in the system tray.
    I have tried reinstalling all of the programs she downloaded in the last week in the hopes of finding the "packed" dropper. I watched for the registry entries and the srvreg.exe in System32 folder along with any newly detected items in TDS-3. I even rebooted several times in case it would only load it on reboot.
    It appears to be gone now. I cannot find a trace of it left anymore, but it is a mystery as to where it came from.

    You have all been a great help and I appreciate it! :) :)
     
Thread Status:
Not open for further replies.