Analysis by: Dianne Lagrimas

ALIASES:

OnlineGames, Magania, Gamania, Taterf

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

KAVO malware are known for stealing account details for online games. They do so by monitoring game-related processes and websites. The stolen information consists of user names and passwords. These spyware may connect to specific URLs to download other components.

Aside from stealing information, KAVO malware can compromise a system's security. They may disable antivirus applications by terminating antivirus-related processes if found running on the affected system.

Interestingly, KAVO malware also check if the language of the system is not Chinese. There are some speculations that the creator of KAVO malware has origins in China, which may explain the connection of checking the operating system's language. However, there are no known perpetrators for KAVO malware as of 2012.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Connects to URLs/IPs, Steals information, Downloads files, Disables services, Compromises system security

Installation

This spyware drops the following copies of itself into the affected system:

  • %System%\{random 5 letters}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This spyware modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, {random 5 letters}.exe"

(Note: The default value data of the said registry entry is %System%\userinit.exe.)

Other System Modifications

This spyware adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
TabProcGrowth = "0"

HKEY_LOCAL_MACHINE\ SOFTWARE\ MICROSOFT\
Windows\ CURRENTVERSION\ URL
SystemMgr = "Del"

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\
protected\AVP7\profiles\
Updater
enabled = "0"

Other Details

This spyware connects to the following possibly malicious URL:

  • http://www.{BLOCKED}hhuo.net/mljs11/heihaahhuo.png
  • http://{BLOCKED}r.{BLOCKED}2.com/23weer/23weer.jpg
  • http://{BLOCKED}r.{BLOCKED}2.com/23weer/23weer.gif
  • http://www.{BLOCKED}a.com/images/china.jpg
  • http://www.{BLOCKED}a.com/images/china.gif
  • http://www.{BLOCKED}a.com/images/china.bmp