Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Installation
When executed, the trojan copies itself into the:

%system%

folder with the following file names:

kavo.exe (117104 B)

The following file is dropped in the same folder:

kavo0.dll (96768)


The libraries with the following names are injected into all running processes:

kavo0.dll

The trojan creates and runs a new thread with its own program code within the following processes:

explorer.exe


In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%system%\kavo.exe"

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = 2

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = 0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = 0

 


Spreading
The trojan copies itself into the root folders of fixed and/or removable drives using the following name:

f.cmd

The following file is dropped in the same folder:

autorun.inf

Thus, the trojan ensures it is started each time infected media is inserted into the computer.


Information stealing
The trojan collects various information related to online computer games. The trojan gathers information related to the following processes:

dekaron.exe

elementclient.exe

gc.exe

ge.exe

hyo.exe

maplestory.exe

Online6.dat

Ragexe.exe

so3d.exe

sro_client.exe

wsm.exe

ybclient.exe

zhengtu.dat

The trojan is able to log keystrokes. The trojan can send the information to a remote machine. The HTTP protocol is used.


Other information
The trojan can download and execute a file from the Internet. The trojan contains a list of 13 URLs. The trojan alters the behavior of some security related applications. It uses techniques common for rootkits.