KBL Uploader

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Detection and Removal ·
· Research ·

Overview

Summary:

 Restart method is identical to that of Cold Fusion 1.00

Vendor Notes:

 From the doc: '*K.B.L. stands for KILL BIN LADEN. *This is a Firewall bypasser uploader. *This server uses the service from WWW.STATICIPNOTIFY.COM *Server is packed with upx v1.22. *Teste on XP, W2K, ME, 98, 98SE.'

Alias:

 TrojanNotifier.Win32.KBLup.100, TrojanNotifier.Win32.KBLup.201

See Also:

 Cold Fusion 1.00

Category:

Downloader: A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site.

Notifier: Any tool designed for stealth notification of an attacker that a victim has installed and run some pest. Such notification might be done by FTP, SMS, SMTP, or other method, and might contain a variety of information. Often used in combination with a Packer, a Binder and a Downloader.

Variants:
  • KBL Uploader 2.01
  • KBL Uplodater VWB 1.00 b1
    		•

    Similar Pests:

    		 Downloader · Notifier

    Origins

    Author:

    		 Satan_addict

    Group:

    		 Satanzcrew

    By This Group:

    		 Bachdoor.Coldfuson.11 ·

    Programming Language:

    		 Delphi

    Date of Origin:

    		 Variants from September, 2002 to December, 2002

    Distribution

    Prevalence:
  • KBL Uplodater VWB 1.00 b1: 0.1%
    • More Info

    Clot Factor:
  • KBL Uplodater VWB 1.00 b1: < 1

    • The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.

    Countries Affected:

    		 In the past three months, we have received reports of KBL Uploader in Spain.

    Operation

    Default Port:

    		 4004 TCP More info about ports.

    Storage Required:
  • KBL Uploader 2.01: at least 565 KB
  • KBL Uplodater VWB 1.00 b1: at least 737 KB
    		•

    Restart:

    		 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "navapw16"
    Autostarting Pests

    ScreenShot:


    K.B.L. Uploader FWB 1.0 beta1


    K.B.L. Uploader FWB 1.0 beta1


    K.B.L. Uploader FWB 2.01


    K.B.L. Uploader FWB 2.01

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    		 Follow these steps to remove KBL Uploader from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 April 03, 2005