The KBOT virus spreads terror on the web. Can delete system files


KBOT can spread very quickly.

Over a decade ago, the ILOVEYOU virus appeared on the Internet, which was one of the most popular malicious codes. It is also worth recalling Slammer, which caused the failure of ATMs belonging to Bank of America.

Once, typical viruses and worms reigned. Today, we are dealing primarily with malware, ransomware, which mainly without our knowledge deal in mining cryptocurrencies for the author of such a threat. Spyware appears, creating DDoS attacks, or forcing tribute to unlock our files.

From time to time, however, classic viruses appear that create confusion among computer users. One of them is just that Kbotwhich is "injected" into the Windows file code.

2020-02-12 134213

KBOT is spreading terror online

Unfortunately, the KBOT virus can cause a lot of trouble if it gets into our system. First of all, it spreads through websites, but also local networks or data carriers. After infecting the operating system, it saves in both the Startup folder and the Task Scheduler to then infect all files with the .exe extension that are on logical partitions, as well as in shared folders.

When the virus searches our disks and finds. Exe files, it will try to replace the IWbemObjectSink function, which belongs to the function of the Win32 application. Then use the NetServerEnum and NetShareEnum APIs to download paths to other network resources. All of this would, of course, spread further. Even worse, KBOT uses many tools and techniques to hide its activity. First of all, we are talking about RC4 encryption or scanning of DLL libraries that are associated with antivirus software. This is to suspend the operation of the anti-virus and to add malicious code to valid processes that are running.

The virus not only deletes files, but also wants to steal data

The malware mentioned in this article may also try to steal the personal data of the owner of the infected computer. We are talking here about credentials that are used to access online financial and banking services. KBOT can also impersonate websites using infected system functions and browsers, including Chrome and Firefox. The virus will want to create a link to your server for this purpose. To this end, it will use the hosts.ini file. Will be able to send the ID, computer name, information about the operating system, as well as lists of local users and data about the installed anti-virus software.

KBOT can spread very quickly in the system as well as in the local network

The authors of the virus designed it so that after connecting to the hosts.ini file it can connect to its own command and control server (command-and-control – C2). Not only that, the C2 connection is encrypted, and also includes deleting and updating files, including an infection leading to so-called self-destruction. The KBOT virus can also download additional modules that collect user data.

How to protect your computer against this type of pests? The basis is good antivirus program. It is also worth remembering to regularly update not only the system but also the programs.

Source: Bitdefender