When execute, Trojan.Kobcka creates the following files:
Trojan.Kobcka has two main components: a mass mailer and a rootkit.
Attaches to the following native api functions by hooking the System Service Descriptor Table:
This way, the virus manages to hide the registry keys it creates;
For the process to start in safe mode, it creates the following registry keys:
The virus also intercepts every process that is being created. This way it hides his process from taskmanager and from other programs that might detect it.
When executed, it first tries to connect to 206.66.[hide].[hide] on port 2531. When connected, it sends sensitive information about the infected computer (such as the version of the operating system and the port that the virus can receive data). It then waits to receive a certain command (so the virus could also be considered a backdoor) and some data. The data transmitted over the network is encrypted using the string “Poshel-ka ti na hui drug aver” and decrypted with the string “reva grud iuh an it ak-lehsoP”.
Based on the operating system of the infected computer, the virus tries to download a file form a certain address: http://188.8.131.52/**** . The file is saved in %Temp% folder and when it is executed it drops the same files described above. (It works as an update).
The file has its own smtp server which tries to connect to the following addresses and send e-mails: