This malicious program is a Trojan. It is a Windows PE EXE file. It is 118103 bytes in size.
Installation
The Trojan copies its executable file to the Windows system directory:
In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:
"kava" = "%System%\kavo.exe"
The Trojan also extracts the file shown below from its body:
This file is 114176 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.szc.
The Trojan also extracts the file shown below from its body:
This file is 29815 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.stcw.
| Payload |
The Trojan loads the .dll file to all processes launched in the system.
The Trojan intercepts mouse and keyboard events if any of the processes below have been launched:
maplestory.exe dekaron.exe gc.exe RagFree.exe Ragexe.exe ybclient.exe wsm.exe sro_client.exe so3d.exe ge.exe elementclient.exe
It sniffs traffic sent to the following addresses:
61.220.60.*** 61.220.62.*** 61.220.56.*** 61.220.62.*** 203.69.46.*** 220.130.113.***
It does this in an attempt to harvest account data for the following games:
ZhengTu Wanmi Shijie or Perfect World Dekaron Siwan Mojie HuangYi Online Rexue Jianghu ROHAN Seal Online Maple Story R2 (Reign of Revolution) Talesweaver
and some other games. The Trojan also analyses the configuration files of the games above and attempts to harvest information about gamers' accounts on the web
server.
Harvested data is sent to the remote malicious user's site.The Trojan also modifies the following system registry key parameter values:
der\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91"
The Trojan also attempts to terminate the following processes:
KAV RAV AVP KAVSVC
The Trojan also has worm functionality, making it able to propagate via removable storage media. The Trojan copies its executable file to the root of each drive as follows:
<X> indicates the relevant disk.
In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:
This file will launch the Trojan executable file each time the user opens the infected disk using Explorer.
| Removal instructions |
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the following file:
%System%\kavo.exe
- Reboot the computer.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following system registry key parameter:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%System%\kavo.exe" - Restore the original system registry key values:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
der\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91" - Delete the following file:
%System%\kavo0.dll
- Empty the temporary directory (%Temp%).
- Delete the files shown below from all removable disks:
<X>:\n6j.com<x>:\autorun.inf
<x> stands for the letter of the removable disk.
Leave a comment