Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the trojan copies itself in the %system% folder using the following filename:

svohost.exe

The following file is dropped in the same folder:

winscok.dll

Size of the file is 33280 B. The following files are created:

%userprofile%\Desktop\Internet Explorer.url
%system32%\noruns.reg

The trojan attempts to delete the following file:

%system32%\kakatool.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMam" = "%system32%\svohost.exe"

 

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = "BD"

 

The following Registry entries are removed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTdhcp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winhoxt

 

Spreading

The trojan copies itself in root folders of fixed and removable drives using the following filename:

sxs.exe

The following file is created in the same folders:

autorun.inf

This causes the trojan to be executed when an infected media is inserted.

Information stealing

The trojan collects various information when QQ Instant Messenger is being used. The trojan can send the information to a remote machine. The HTTP protocol or e-mail is used.

Other information

Two URLs are opened in Internet Explorer. Two files are downloaded from the Internet. These are stored in the following locations:

%system32%\dqhx.txt
%system32%\hie.txt

The following programs are terminated:

CCAPP.exe
CCenter.exe
EGHOST.exe
FireTray.exe
Iparmor.exe
Kav.exe
kav32.exe
KavPFW.exe
KAVPLUS.exe
kavstart.exe
kavsvc.exe
KpopMon.exe
KRegEx.exe
KVCenter.kxp
KVFW.exe
KVMonXP.exe
KVOL.exe
kvolself.exe
Kvsrvxp.exe
KVSrvXp_1.exe
kvwsc.exe
KWATCHUI.exe
MAILMON.exe
MCAGENT.exe
MCVSESCN.exe
MSKAGENT.exe
net.exe
net1.exe
Nvsvc32.exe
PFW.exe
RAVMON.exe
RavMonD.exe
RavService.exe
RavTask.exe
RAVTIMER.exe
regedit.exe
RfwMain.exe
RRfwMain.exe
Rtvscan.exe
sc.exe
sc1.exe
SHSTAT.exe
TBMon.exe
TrojDie.kxp
UpdaterUI.exe
VPTray.exe

The following services are disabled:

ccEvtMgr
ccProxy
ccSetMgr
kavsvc
KVSrvXP
KVWSC
McAfeeFramework
McShield
McTaskManager
MskService
NPFMntor
RsCCenter
RsRavMon
SNDSrvc
SPBBCSvc
srservice
Symantec
wscsvc

The trojan terminates applications owning windows with any of the following strings in the name:

qqav
TKillqqvir
TKqqviru