Logo_Malware
AutoKMS is a Key Management Service (KMS) activation tool. Based on the volume license activation policy, AutoKMS is a utility of cracking of Microsoft products. Based on volume license activation policy, AutoKMS is a utility to cracking of Microsoft products. Curiously it is often used to hack Microsoft Office even though there is a free Open-Office suite. Find on 11/24/2010.

Features:

-It belongs to a family of trojans with feature of hijacker.
-A Trojan horse is an unwanted program that installs without the knowledge of the user.

Main actions :

– It installs as a process launched at startup of the system (RP),
– It installs as a service to be launched each time the system (O23),(SS/SR).
– It starts a task planned in automatic (O39),
– It installs a process of variable size to the level of the root system (O44)
– It creates a legacy key (O64),
– It creates an active incoming connection in the application of the firewall Windows exceptions (O87),

ZHPDiag report:

[MD5.0ED398A4D031B9CFB10E3FEDF97AD836] – (.. – AutoKMS.) — C:\WINDOWS\AutoKMS.exe [614400] [MD5.BCA43E19E7013331D99FF788EA6B42A0] – (…) — C:\WINDOWS\KMService.exe [151552] O23 – Service: (KMService) . (…) – C:\WINDOWS\system32\srvany.exe
O39 – APT:Automatic Planified Task – C:\WINDOWS\Tasks\AutoKMS.job
O39 – APT:Automatic Planified Task – F:\Windows\Tasks\AutoKMSDaily.job[MD5.CCA616647DB9370C88998AE25DA6997F] [APT] [AutoKMS] (…) — C:\Windows\AutoKMS\AutoKMS.exe[MD5.CCA616647DB9370C88998AE25DA6997F] [APT] [AutoKMSDaily] (…) — C:\Windows\AutoKMS\AutoKMS.exe
O44 – LFC:[MD5.48A77273E8C545DCB70EEE3866CD2123] – 08/11/2010 – 20:34:34 —A- . (…) — C:\WINDOWS\AutoKMS.ini [135] O44 – LFC:[MD5.0ED398A4D031B9CFB10E3FEDF97AD836] – 08/11/2010 – 20:32:28 —A- . (.. – AutoKMS.) — C:\WINDOWS\AutoKMS.exe [614400] O44 – LFC:[MD5.485055033BCDDFDE56325C0D2FEEA4F2] – 27/05/2013 – 21:57:01 —A- . (…) — C:\Windows\KMSEmulator.exe
O64 – Services: CurCS – C:\WINDOWS\system32\srvany.exe – KMService (KMService) .(…) – LEGACY_KMSERVICE
O87 – FAEL: “TCP Query User{E3244365-7AC4-42B5-B1E3-7CF124A36877}C:\windows\kmsemulator.exe” | In – Public – P6 – TRUE | .(…) — C:\windows\kmsemulator.exe
O87 – FAEL: “UDP Query User{0DABD561-7555-4CB0-9A97-3E61FB221174}C:\windows\kmsemulator.exe” | In – Public – P17 – TRUE | .(…) — C:\windows\kmsemulator.exe
SR – | Auto 06/10/2010 8192 | C:\WINDOWS\system32\srvany.exe (KMService) . (…) – C:\WINDOWS\system32\srvany.exe[HKLM\SYSTEM\CurrentControlSet\Services\KMService] [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KMSERVICE] C:\Windows\KMSEmulator.exe

Documentation:

KMS (Key Management Service) – Déploiement & Configuration

Alias:

RiskWare.Tool.CK [ Malwarebytes Antimalware ] HKTL_KEYGEN [TrendMicro)
HackTool:Win32/Keygen [Microsoft] Hijacker.Office
TR/Dropper.Gen [Avira AntiVir] a variant of Win32/HackKMS.B [ESET Nod32] Trojan.Click2 [DrWeb AntiVirus]

Remove:

Remove with ZHPcleaner
ZHPCleaner_EN2
Diagnose with ZHPDiag
ZHPDiag_2-300x220

2016-12-30T07:34:24+00:00 Categories: Hijacker, Trojan|Tags: , |Comments Off on Trojan.AutoKMS