Subscribe
The Trojan terminates the following processes:
sc.exe net.exe sc1.exe net1.exe PFW.exe Kav.exe KVOL.exe KVFW.exe TBMon.exe kav32.exe kvwsc.exe CCAPP.exe EGHOST.exe KRegEx.exe kavsvc.exe VPTray.exe RAVMON.exe KavPFW.exe SHSTAT.exe regedit.exe RavTask.exe TrojDie.kxp Iparmor.exe MAILMON.exe MCAGENT.exe KAVPLUS.exe RavMonD.exe Rtvscan.exe Nvsvc32.exe KVMonXP.exe Kvsrvxp.exe CCenter.exe KpopMon.exe RfwMain.exe KWATCHUI.exe MCVSESCN.exe MSKAGENT.exe kvolself.exe KVCenter.kxp kavstart.exe RAVTIMER.exe RRfwMain.exe FireTray.exe UpdaterUI.exe KVSrvXp_1.exe RavService.exe
It deletes the following values from the system registry:
RavTask KvMonXP YLive.exe yassistse KAVPersonal50 JQbkgu Winhoxt
The Trojan harvests passwords saved on the system and sends them to the remote malicious user by email.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate SVOHOST.EXE, the Trojan process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following parameter from the system registry (see
What
is a system registry and how do I use it for details on how to edit the registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "soundman" = "%System%\SVOHOST.exe"
- Delete all files created by the Trojan from the root directories
of all logical disks (access the disks by using Right Mouse Button - Open in
order to prevent autorun.inf from running and the Trojan process from being
launched):
%System%\SVOHOST.exe %System%\winscok.dll sxs.exe autorun.inf
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan is designed to steal user passwords. It is a Windows PE EXE file. The Trojan has no self replication routine. It is written in Borland Delphi. The size of infected files may vary from 32KB to 144KB.
InstallationWhen launching, the Trojan creates a process called «SVOHOST.EXE».
It copies its executable file to the Windows system directory as "SVOHOST.exe" with Hidden and System attributes:
%System%\SVOHOST.exe
The Trojan also copies itself to all logical disk root directories apart from C: as "sxs.exe" with the Hidden attribute. It also creates, on the same disks, a hidden file called "autorun.inf", which will launch sxs.exe when the logical disk is opened.
The Trojan also creates the following file:
%System%\winscok.dll
The Trojan then adds a link to its executable file in the system registry, ensuring that it will be launched when Windows is rebooted on the victim machine:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "soundman" = "%System%\SVOHOST.exe"
The Trojan also modifies the following registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDriveTypeAutoRun" = dword:000000bd
The original Trojan file is then deleted.
Payload
Hot Articles