Hot Articles

Worm.Win32.AutoRun.bhx

tag:Internet   Worms  

The worm loads the .dll file to all active processes.

The worm also intercepts mouse and keyboard events if one of the processes listed below has been launched:

maplestory.exe
dekaron.exe
gc.exe
RagFree.exe
Ragexe.exe
ybclient.exe
wsm.exe
sro_client.exe
so3d.exe
ge.exe
elementclient.exe

The worm harvests account data relating to the following games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver

Harvested data is sent to the remote malicious user's site.

The worm also modifies the following system registry key parameter values:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
der\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91"

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the following file: %System%\kavo.exe
  1. Reboot the computer.
  2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following system registry key parameter values: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "kava" = "%System%\kavo.exe"
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidde
    n\SHOWALL]
    "CheckedValue" = "0"
    [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden" = "2"
    [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ShowSuperHidden" = "0"
    [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
    "NoDriveTypeAutoRun" = "0x91"
  4. Delete the following files: %Temp%\

    This worm creates copies of itself on removable storage media. It is a Windows PE EXE file. It is 115760 bytes in size.

    Installation

    Once launched, the worm copies its executable file to the Windows system directory:

    %System%\kavo.exe

    In order to ensure that the worm is launched automatically each time the system is restarted, the worm adds a link to its executable file to the system registry:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "kava" = "%System%\kavo.exe"

    The worm also extracts the following file from its body:

    %System%\kavo0.dll

    This file is 89088 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-PSW.Win32.OnLineGames.mbs.

    The worm also extracts a file 31545 bytes in size from its body: %Temp%\<rnd>.dll Propagation

    The worm copies its executable file to the root of each partition under the following name:

    <X>:\XAdeIect.com

    In addition to its executable file, the worm also places the file shown below in the root directory of every disk:

    <x>:\autorun.inf

    <X> indicates the relevant partition.

    This file will launch the worm's executable file each time the user opens the infected partition using Explorer.

    Payload

©Virus-Encyclopedia.com All Rights Reserved.