Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

TSPY_ONLINEG

ANALYSIS BY

Dianne Lagrimas


ALIASES:

OnlineGames, Magania, Gamania, Taterf

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
REPORTED INFECTION:
SYSTEM IMPACT RATING:
INFORMATION EXPOSURE:

  • Threat Type:Spyware

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW


KAVO malware are known for stealing account details for online games. They do so by monitoring game-related processes and websites. The stolen information consists of user names and passwords. These spyware may connect to specific URLs to download other components.

Aside from stealing information, KAVO malware can compromise a system's security. They may disable antivirus applications by terminating antivirus-related processes if found running on the affected system.

Interestingly, KAVO malware also check if the language of the system is not Chinese. There are some speculations that the creator of KAVO malware has origins in China, which may explain the connection of checking the operating system's language. However, there are no known perpetrators for KAVO malware as of 2012.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Steals information, Downloads files, Disables services, Compromises system security

Installation

This spyware drops the following copies of itself into the affected system:

  • %System%\{random 5 letters}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This spyware modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, {random 5 letters}.exe"

(Note: The default value data of the said registry entry is %System%\userinit.exe.)

Other System Modifications

This spyware adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
TabProcGrowth = "0"

HKEY_LOCAL_MACHINE\ SOFTWARE\ MICROSOFT\
Windows\ CURRENTVERSION\ URL
SystemMgr = "Del"

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\
protected\AVP7\profiles\
Updater
enabled = "0"

Other Details

This spyware connects to the following possibly malicious URL:

  • http://www.{BLOCKED}hhuo.net/mljs11/heihaahhuo.png
  • http://{BLOCKED}r.{BLOCKED}2.com/23weer/23weer.jpg
  • http://{BLOCKED}r.{BLOCKED}2.com/23weer/23weer.gif
  • http://www.{BLOCKED}a.com/images/china.jpg
  • http://www.{BLOCKED}a.com/images/china.gif
  • http://www.{BLOCKED}a.com/images/china.bmp

Connect with us on