Mal/Katusha-F

Posted: July 11, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	1,609

First Seen:	July 11, 2012
Last Seen:	May 24, 2023
OS(es) Affected:	Windows

Mal/Katusha-F is an e-mail-distributed member of the Trojan.Katusha family, and, like all Katusha-based Trojans, can be involved in attacks against your computer's security or attempts to install other PC threats. Several variants of Mal/Katusha-F's favorite e-mail template have been observed so far, and SpywareRemove.com malware researchers warn against downloading any file attachments that claim to be confirmation of an airline seating reservation (Mal/Katusha-F's preferred scam). Anti-malware software should be able to detect Mal/Katusha-F as malicious even if you can't identify its e-mail as spam, although it should also be emphasized that no reputable airline would ever request that you refer to an e-mail file attachment, which is a significant security hazard in almost all circumstances.

The Fake Flight That's a Straight Ticket to a Mal/Katusha-F Infection

Mal/Katusha-F uses the same distribution strategy as such PC threats as Mal/EncPk-NS, Mal/SpyEye-B, Mal/JSRedir-K, Mal/BredoZp-B and Mal/ExpJS-AA: tricking victims into opening mass-e-mailed file attachments with fraudulent messages. Although the hooks for these scams often vary, current attacks by Mal/Katusha-F appear to be limited to reservations for a charter flight, with fake pricing calculations and other details apparently available from the 'attached booklet.' The exact message may use different airline names and can include different forms of typos, presumably to work around simplistic spam filters. However, SpywareRemove.com malware researchers have noted that the 'Charter flight reservation' subject line has, so far, been a static and unchanging element in the Mal/Katusha-F scam.

Unwary e-mail readers who choose to open the attached Zip file will unwillingly infect their PCs with Mal/Katusha-F. Mal/Katusha-F is still a fairly new PC threat as of this month, and, therefore, incompletely defined. SpywareRemove.com malware experts still recommend that Mal/Katusha-F-infected PCs be defended against attacks that are common to the Katusha family of Trojans. If you have clicked on a piece of Mal/Katusha-F spam and think your computer might be infected, analyzing your PC with appropriate anti-malware software is the safest means of removing Mal/Katusha-F.

Why Mal/Katusha-F and Your PC Together Could Equal Swiss Cheese for Security

Katusha-based PC threats like Mal/Katusha-F have a high probability of including backdoor Trojan capabilities. These functions, while not necessarily ones that will display flashy symptoms, can still be significant dangers to your computer's basic privacy and safety, as SpywareRemove.com malware experts have outlined in the attacks below:

Mal/Katusha-F may install other PC threats on your computer, either from a default payload in its own body or from files that are downloaded from a remote server.
Mal/Katusha-F may alter your system settings without consent. This can allow other PC threats to attack with ease, make your firewall as good as useless or even cause browser redirects (as in the case of the notorious DNS Changer panic).
Mal/Katusha-F may block security-related programs to prevent you from scanning your PC or deleting Mal/Katusha-F safely.

Aliases

TR/Barys.6008.14 [AntiVir]Trojan.Winlock.5490 [DrWeb]Gen:Variant.Barys.6008 [BitDefender]Trojan.Win32.Yakes.ahkk [Kaspersky]Artemis!2838A2DF838B [McAfee]Trojan-Dropper.Win32.Dapato [Ikarus]Generic.mfr!bq [McAfee-GW-Edition]TR/Kazy.81900.1 [AntiVir]Gen:Variant.Kazy.81901 [BitDefender]Trojan-Dropper.Win32.Dapato.bmwq [Kaspersky]Win32:Kryptik-JIB [Trj] [Avast]WS.Reputation.1 [Symantec](Suspicious) - DNAScan [CAT-QuickHeal]Trj/CI.A [Panda]Win32/Cryptor [AVG]
More aliases (57)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%WINDIR%\system32\wpbt0.dll

File name: wpbt0.dll
Size: 134.65 KB (134656 bytes)
MD5: 2838a2df838b70c931637e7c9a7f0e87
Detection count: 16
File type: Dynamic link library
Mime Type: unknown/dll
Path: %WINDIR%\system32
Group: Malware file
Last Updated: August 21, 2012

%TEMP%\vohigzkbcn.exe

File name: vohigzkbcn.exe
Size: 62.46 KB (62464 bytes)
MD5: 0cee3723ecfc8e777a0f51a12fa563cd
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%
Group: Malware file
Last Updated: August 1, 2012

%LOCALAPPDATA%\Microsoft\Windows\4358\termmgr.exe

File name: termmgr.exe
Size: 49.66 KB (49664 bytes)
MD5: c5a3bba102d76a781b7e68a501c73a13
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\Microsoft\Windows\4358
Group: Malware file
Last Updated: August 13, 2012

%LOCALAPPDATA%\Microsoft\Windows\4657\thawbrkr.exe

File name: thawbrkr.exe
Size: 49.15 KB (49152 bytes)
MD5: cb67cfd755fea64aac1f611a4918e1d2
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\Microsoft\Windows\4657
Group: Malware file
Last Updated: July 26, 2012