Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed, the trojan copies itself into the:

%system%

folder with the following file names:

ntdelect.com

kavo.exe


The following files are dropped in the same folder:

kavo0.dll (37376 B)

autorun.inf (260 B)


The following file is dropped in the %temp% folder:

t2e.dll (31827 B)


In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%system%\kavo.exe"

 

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = 2

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = 0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = 0

 

Spreading
The trojan copies itself into the root folders of fixed and/or removable drives using the following filename:

ntdelect.com


The following file is dropped in the same folder:

autorun.inf


Information stealing
The trojan collects various information related to on-line computer games. The trojan loads and injects the "kavo0.dll" library into the following processes:

explorer.exe

iexplore.exe

dekaron.exe

maplestory.exe

hyo.exe

fairyclient.exe

ybclient.exe

wsm.exe

so3d.exe

The trojan is able to log keystrokes. The trojan can send the information to a remote machine. The HTTP protocol is used.


Other information
The following programs are terminated:

filmsg.exe

twister.exe

ravmon.exe

ravmond.exe

iparmor.exe

adam.exe

eghost.exe

mailmon.exe

kavpfw.exe