Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed, the trojan copies itself in the %system% folder using the following name:

kavo.exe (115749 B)

The following file is dropped in the same folder:

kavo0.dll (124928 B)

The following files are dropped into the %temp% folder:

gxylc.dll (26910 B)
zs.sys (3450 B)

The trojan creates and runs a new thread with its own program code within the following processes:

explorer.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%system%\kavo.exe"

 

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = 2

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = 0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = 0

 

Spreading
The trojan copies itself into the root folders of fixed and/or removable drives using the following filename:

1wod1.com

The following file is dropped in the same folder:

autorun.inf


Information stealing
The trojan collects various information related to online computer games. The trojan gathers information related to the following processes:

maplestory.exe
hyo.exe
fairyclient.exe
cg.exe
coc.exe
RagFree.exe
Ragexe.exe
ybclient.exe
wsm.exe
so3d.exe
ge.exe
cabalmain.exe
elementclient.exe
wow.exe

The trojan is able to log keystrokes. The trojan can send the information to a remote machine. The HTTP protocol is used.


Other information
The trojan alters the behavior of some security related applications. The trojan can download and execute a file from the Internet. The trojan contains a list of URLs. It uses techniques common for rootkits.