This is our old Q&A Site. Please post any new questions and answers at


I have been informed of a Kovter infection here at work, but im struggling to track it down. I have the folllwing information:

2015-01-27 08:40:09


port 43533

hostname mail.OURDOMAIN

infection Kovter

url /w1/form.php

cc_asn 1101


I tried filter by port:

tcp.port eq 43533

But nothing shows up. Can any suggest something else to track this down?

Thanks in advance

EDIT: I did find this site that goes into detail about this infection, but alas...I'm not 100% sure where to start with WireShark.

asked 29 Jan '15, 03:22

F2000's gravatar image

accept rate: 0%

edited 29 Jan '15, 08:04

I'm not familiar with this malware, but based on the link you provided, you may want to try editing/adding a coloring rule(s) for some extensions that might be in use, such as: .exe .pl .py .pw .biz

Eg. frame matches ".(?i)exe"

permanent link

answered 30 Jan '15, 16:35

Qwert's gravatar image

accept rate: 0%


First, thank you for replying and sorry its taken so long for me to reply. I had given up hope. Sorry to bug you again, but would ".(?i)biz" be enough...or any of the following?

http.request.uri matches ".(?i)biz"

http contains ""

Thanks again, really appreciate you taking time to reply.

(05 Feb '15, 07:40) F2000

First, it seems that they either updated their analysis, or I didn't read it well enough the first time (more likely the latter). The .py/.pl extensions are not relevant (so my apologies on the misinformation).

With regard to the coloring rule, I like 'frame matches' because the protocol needs to be recognized as http in order for an 'http' coloring rule to find a match. That being said, an http-specific rule may work just fine so the syntax of the rule here may be a non-issue in that one respect.

In addition to ',' it looks like the following names should also be looked for: (I think this is a locally run request on an infected host, so this may not show up in traffic)

Also ... '' doesn't resolve but does. Both domains are registered, but only the latter currently has a DNS record. Regardless, rules for both will cover those bases.


permanent link

answered 05 Feb '15, 13:30

Qwert's gravatar image

accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 29 Jan '15, 03:22

question was seen: 2,689 times

last updated: 05 Feb '15, 13:30

p​o​w​e​r​e​d by O​S​Q​A