Threat Database Worms Worm.Kapucen.A

Worm.Kapucen.A

By Domesticus in Worms

Worm.Kapucen.A is a network worm that targets Windows operating systems. Worm.Kapucen.A is able to spread via removable media or peer-to-peer networks. On infecting a computer system, Worm.Kapucen.A will connect to the internet and communicate with a remote server via HTTP. Worm.Kapucen.A will also place a copy of itself in \svchost.exe and then create the file \Log.txt.

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
Symantec W32.Ecup
Sophos W32/Kapucen-D
Prevx1 Cloaked Malware
Panda W32/Puce.I.worm
NOD32 Win32/Kapucen.NAM
Microsoft Worm:Win32/Puce.gen!B
eTrust-Vet Win32/Puce.F
Comodo Worm.Win32.Kapucen.~B
ClamAV Worm.W32.Puce
CAT-QuickHeal Win32.Worm.Puce.gen!B.4
AVG Win32/Puce.E
AhnLab-V3 Win32/IRCBot.worm.variant
a-squared P2P-Worm.Win32.Kapucen.b!IK
TrendMicro WORM_KAPUCEN.B
Symantec Trojan Horse

SpyHunter Detects & Remove Worm.Kapucen.A

File System Details

Worm.Kapucen.A may create the following file(s):
# File Name MD5 Detections
1. svchost.exe 8dfc24fd74b0fbb4369b54fd39e5a1f7 0
More files

Analysis Report

General information

Family Name: Trojan.Kapucen.A
Signature status: No Signature

Known Samples

MD5: 2ce1b578ed684c1384e2fcef574adea4
SHA1: 224aa58aaa92adb1aa1be24c9beeb6cb2d797dfd
SHA256: 6EE6DE486C43B00F8B6E35203634047544BBC20431C71B2B745A1882FCB9ECF8
File Size: 106.50 KB, 106496 bytes
MD5: f3b5063f655710fbe8ce3a77237983b2
SHA1: 8feb248a3678da666007f096bc64cbcbfb0838f7
SHA256: B6C4C271B5B31E72F273EC3ED69C7FBE19C8DE44495FAEA7B942BCD1C74B3F4B
File Size: 106.50 KB, 106496 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

File Traits

  • HighEntropy
  • No Version Info
  • x86

Block Information

Total Blocks: 210
Potentially Malicious Blocks: 21
Whitelisted Blocks: 180
Unknown Blocks: 9

Visual Map

? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x x x x x 0 0 x 0 x x x 0 0 x x x x x x x x x 0 0 1 1 0 1 1 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\users\user\appdata\local\temp\svchost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\downloads\log.txt Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::windowsservicesstartup C:\Users\Gxddfjnw\AppData\Local\Temp\svchost.exe 1 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 闺ȁ ਪˣ鈯ˣ遙̃豤̃অˣ炑̃龡^濖̃賬̃P獖}偫~엦1਷ˣ邯̃뫯ʃdᵂċᵆċeဈ엦1:¶i ꙥžr֢ RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::windowsservicesstartup C:\Users\Kjsqotwn\AppData\Local\Temp\svchost.exe 1 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Other Suspicious
  • AdjustTokenPrivileges
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • ShellExecute
User Data Access
  • GetUserObjectInformation
Anti Debug
  • NtQuerySystemInformation

Shell Command Execution

open Log.txt
C:\Users\Gxddfjnw\AppData\Local\Temp\svchost.exe 1
C:\Users\Kjsqotwn\AppData\Local\Temp\svchost.exe 1

Trending

Most Viewed

Loading...