| Date discovered: | 26/02/2009 |
| Type: | Trojan |
| In the wild: | Yes |
| Reported Infections: | Low |
| Distribution Potential: | Low |
| Damage Potential: | High |
| Static file: | Yes |
| File size: | 172.207 Bytes |
GENERAL
Aliases:
• Symantec: W32.SillyFDC
• Sophos: Mal/Generic-A
• Panda: W32/Lineage.KYR
• Eset: Win32/PSW.OnLineGames.NNU
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Downloads files
• Drops malicious files
• Registry modification
FILES
It copies itself to the following locations:
• %SYSDIR%\kva8wr.exe
• %drive%\jbele1.com
It renames the following files:
• %malware execution directory% into c:\%existing file or directory%.vcd
It deletes the initially executed copy of itself.
It deletes the following file:
• %SYSDIR%\drivers\cdaudio.sys
It may corrupt the following file:
• %SYSDIR%\drivers\cdaudio.sys
The following files are created:
– %drive%\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%
– %SYSDIR%\drivers\klif.sys Further investigation pointed out that this file is malware, too.
Detected as: Rkit/Agent.4160
– %SYSDIR%\bgotrtu0.dll Detected as: TR/Vundo
– %SYSDIR%\uweyiwe0.dll Detected as: TR/Crypt.XPACK.Gen
– %drive%\lot.exe
– %SYSDIR%\ahnfgss0.dll
– %SYSDIR%\ahnsbsb.exe
– %SYSDIR%\ahnxsds0.dll
It tries to download some files:
– The location is the following:
• http://hjkio.com/xhg2/**********
– The location is the following:
• http://kioytrfd.com/xhg2/**********
REGISTRY
One of the following values is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "kvasoft"="%SYSDIR%\kva8wr.exe"
The following registry keys are added in order to load the service after reboot:
– [HKLM\SOFTWARE\System\CurrentControlSet\Services\KAVsys]
• "Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"="\??\%SYSDIR%\drivers\klif.sys"
"DisplayName"="KAVsys"
The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• "NoDriveTypeAutoRun"=dword:00000091
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "ShowSuperHidden"=dword:00000001
"Hidden"=dword:00000002
INJECTION
One of the following values is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "kvasoft"="%SYSDIR%\kva8wr.exe"
The following registry keys are added in order to load the service after reboot:
– [HKLM\SOFTWARE\System\CurrentControlSet\Services\KAVsys]
• "Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"="\??\%SYSDIR%\drivers\klif.sys"
"DisplayName"="KAVsys"
The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• "NoDriveTypeAutoRun"=dword:00000091
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "ShowSuperHidden"=dword:00000001
"Hidden"=dword:00000002
ROOTKIT TECHNOLOGY
Hides the following:
– Its own process
Method used:
• Hidden from Master File Table (MFT)
• Hidden from Windows API
• Hidden from Interrupt Descriptor Table (IDT)
____________________________________________
Avira AntiVir Free
mY antivirus fail to detect a virus could u suggest me what antivirus work best?
ReplyDeletevipre
DeleteI really like this blog.
ReplyDeleteThanks for providing the full information of Trojan about system requirement and many more.
I'm 47 years old and female. I was diagnosed a couple of years ago with COPD and I was beyond scared! My lung function test indicated 49% capacity. After having had the flu a year ago, the shortness of breath, coughing and chest pains continued even after being treated with antibiotics. I've been smoking two packs a day for 36 years. Being born without a sternum caused my ribs to be curled in just one inch away from my spine, resulting in underdeveloped lungs. At age 34 I had surgery and it was fixed. Unfortunately my smoking just caused more damage to my already under developed lungs. The problem was that I enjoyed smoking and don't want to give up! Have tried twice before and nearly went crazy and don't want to go through that again. I saw the fear in my husband and children's eyes when I told them about my condition then they started to find a solution on their own to help my condition.I am a 47 now who was diagnosed with COPD emphysema which I know was from my years of smoking. I started smoking in school when smoking was socially acceptable.. It was not known then how dangerous cigarettes were for us, and it seemed everybody smoked it. On searching, internet we saw a testimony of a brother, Nathaniel, how he was also cured of COPD lungs. By a doctor Akhigbe and the brother also wrote the doctor contact on the testimony. I contacted the doctor I was writing to the doctor and my husband was writing to him too. The doctor told us what to do and the next week I received the herbal medicine and the following instruction. It was really unbelievable after I finished the medicine. Dr Akhigbe herbal medicine is supernatural, that is how I was able to get rid of my COPD lung condition through the help of Dr Akhigbe with his herbal medicine cure. Here is his email [drrealakhigbe@gmail.com} He has the right herbal formula to help you get rid and repair any lung conditions and other diseases, his medicine will cure you completely and permanently with his natural organic herbs,We received the medicine through courier delivery service. I wish anybody who starts smoking at a young age would realize what will eventually happen to their bodies if they continue that vile habit throughout their life. It's a lesson I learned and never to forget in my life now I promise my God myself and my family never to smoke again.. All thanks to doctor Akhigbe, the real herbalist doctor with natural herbs who have cured different people with their different problem.
ReplyDeleteDr Akhighe also cured diseases like, HERPES, DIABETES, HIV/AIDS, COPD, CANCER,ASTHMA,STROKE,LUPUS,JOINT PAIN,CHRONIC DISEASES,PARKINSON DISEASES,TUBERCULOSIS,HIGH BLOOD PRESSURE,BREAST INFECTION,WOMEN SEXUAL PROBLEM, GINGIVITIS, ERYSIPELAS,STAPHYLOCOCCUS,HEPATITIS A/B, QUICK EJACULATION, IMMUNOTHERAPY, GONORRHEA,SYPHILIS,WAST/BACK PAIN,PELVIC INFLAMMATORY, DICK ENLARGEMENT,HEART DISEASES,TERMINAL ILLNESS,SHIFT IN FOCUS,ATAXIA,COMMON COLD,CROHN'S DISEASES,ALCOHOL SPECTRUM DISORDER,GRAVES DISEASE,HEARING LOSS, ANTI VIRUS, INTERSTITIAL CYSTITIS,LEUKEMIA,MULTIPLE SCLEROSIS,OBESITY,RABIES,SCOLIOSIS,INFLUENZA, POLIO,JACOB,ETC. If you are out there looking for your cure please contact dr Akhigbe by his email drrealakhigbe@gmail.com or contact his whatsapp number +234 90 1075 4824
God bless you Dr Akhigbe for your good hand work on my life.