Detection date: February 19, 2008
Specifications
This malicious program is a Trojan. It is an EXE file of 112736 bytes in size.
Setting
The Trojan copies its executable file to the Windows system directory:
% System% kavo.exe
To ensure that the Trojan automatically runs every time the system restarts, the Trojan writes its executable file to the system registry:
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"kava" = "% System% kavo.exe"
The Trojan also extracts the following file from the executable file itself:
% System% kavo0.dll
This file has a capacity of 96768 bytes. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.rlb .
The Trojan also extracts the following file from the executable file itself:
% Temp% .dll
This file has a capacity of 29994 bytes. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.yyq .
Work
The Trojan will download the .dll file to all processes launched in the system. The Trojan also blocks mouse and keyboard events if any of the following processes are run:
maplestory.exe
dekaron.exe
gc.exe
RagFree.exe
Ragexe.exe
ybclient.exe
wsm.exe
sro_client.exe
so3d.exe
ge.exe
elementclient.exe
It detects traffic sent to the following addresses:
61.220.60. ***
61.220.60. ***
61.220.62. ***
*** 6220.56. ***
*** 6220.56. ***
61.220.62. ***
61.220.62. ***
203.69.46. ***
203.69.46. ***
220,130,113. ***
It will collect the following game account data:
ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver
and some other games. Trojans also analyze the configuration files of these games and try to collect other gamer's accounts on the server.
Collected data will be sent to the remote villain's site.
The Trojan also changes the following system registry parameter values:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFol
derHiddenSHOWALL] "CheckedValue" = "0"
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionPociliesExplorer]
"NoDriveTypeAutoRun" = "0x91"
Trojans also try to block the following processes:
KAV
RAV
AVP
KAVSVC /
The Trojan also has properties like computer worms, which can be spread through removable storage devices. It copies itself the executable file to the root of each device such as:
: h2.com
With is the relevant drive name.
In addition, Trojans also put executable files into the root directory of all device drives:
: autorun.inf
This file will launch the Trojan executable file every time the user opens the infected device with Explorer.
Instructions for removal
If your computer does not have an antivirus program that updates automatically, or does not have a complete antivirus solution, follow these instructions to remove the malware from your computer:
1. Delete the following file:
% System% kavo.exe
2. Restart the computer.
3. Delete the original Trojan file (file location depends on how it originally entered the victim computer).
4. Delete the following system registry key parameter:
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"kava" = "% System% kavo.exe"
5. Restore the original system registry key values:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFol
derHiddenSHOWALL]
"CheckedValue" = "0"
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced]
"Hidden" = "2" "ShowSuperHidden" = "0"
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionPociliesExplorer]
"NoDriveTypeAutoRun" = "0x91"
6. Delete the following file:
% System% kavo0.dll
7. Delete the folder containing temporary files (% Temp%).
8. Delete the following file on all mobile devices:
: h2.com
: autorun.inf
with is the name of the mobile device drive
9. Update the virus database and perform a full computer scan.