This malicious program is a Trojan. It is a Windows PE EXE file. It is 118103 bytes in size.
Infection
The Trojan copies its executable file to the Windows system directory:
%System%\kavo.exe
In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%System%\kavo.exe"
The Trojan also extracts the file shown below from its body:
%System%\kavo0.dll
This file is 114176 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.szc.
The Trojan also extracts the file shown below from its body:
%Temp%\
This file is 29815 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.stcw.
The Trojan loads the .dll file to all processes launched in the system.
The Trojan intercepts mouse and keyboard events if any of the processes below have been launched:
maplestory.exe
dekaron.exe
gc.exe
RagFree.exe
Ragexe.exe
ybclient.exe
wsm.exe
sro_client.exe
so3d.exe
ge.exe
elementclient.exe
It sniffs traffic sent to the following addresses:
61.220.60.***
61.220.62.***
61.220.56.***
61.220.62.***
203.69.46.***
220.130.113.***
It does this in an attempt to harvest account data for the following games:
ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver
and some other games. The Trojan also analyses the configuration files of the games above and attempts to harvest information about gamers' accounts on the web
server.
Harvested data is sent to the remote malicious user's site.
The Trojan also modifies the following system registry key parameter values:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
der\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91"
The Trojan also attempts to terminate the following processes:
KAV
RAV
AVP
KAVSVC
The Trojan also has worm functionality, making it able to propagate via removable storage media. The Trojan copies its executable file to the root of each drive as follows:
In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:
This file will launch the Trojan executable file each time the user opens the infected disk using Explorer.
Removal Guide
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
1. Delete the following file:
%System%\kavo.exe
2. Reboot the computer.
3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
4. Delete the following system registry key parameter:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%System%\kavo.exe"
5. Restore the original system registry key values:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
der\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91"
6. Delete the following file:
%System%\kavo0.dll
7. Empty the temporary directory (%Temp%).
8. Delete the files shown below from all removable disks:
