File details
Filename: kavo.exe
File size: 116839 bytes
MD5: f299731b300fb08dec8f6bcec5a1a70d
SHA1: 2dc8911170dabea852cc3d0d2994a37c8aa4864f
PEiD: PolyEnE 0.01+ by Lennart Hedlund
______________________________QUOTEFile 18.exe received on 01.01.2008 19:45:02
AhnLab-V3 2008.1.1.10 2007.12.31 -
AntiVir 7.6.0.46 2007.12.31 TR/Crypt.XDR.Gen
Authentium 4.93.8 2007.12.31 -
Avast 4.7.1098.0 2007.12.31 -
AVG 7.5.0.516 2008.01.01 SHeur.AJUJ
BitDefender 7.2 2008.01.01 -
CAT-QuickHeal 9.00 2007.12.31 -
ClamAV 0.91.2 2008.01.01 -
DrWeb 4.44.0.09170 2007.12.31 -
eSafe 7.0.15.0 2008.01.01 Suspicious File
eTrust-Vet 31.3.5421 2008.01.01 -
Ewido 4.0 2008.01.01 -
FileAdvisor 1 2008.01.01 -
Fortinet 3.14.0.0 2008.01.01 -
F-Prot 4.4.2.54 2007.12.31 -
F-Secure 6.70.13030.0 2008.01.01 W32/Smalltroj.BTCC
Ikarus T3.1.1.15 2008.01.01 -
Kaspersky 7.0.0.125 2008.01.01 -
McAfee 5196 2007.12.31 -
Microsoft 1.3109 2008.01.01 -
NOD32v2 2759 2008.01.01 -
Norman 5.80.02 2007.12.31 W32/Smalltroj.BTCC
Panda 9.0.0.4 2008.01.01 Suspicious file
Prevx1 V2 2008.01.01 -
Rising 20.24.52.00 2007.12.29 -
Sophos 4.24.0 2008.01.01 -
Sunbelt 2.2.907.0 2007.12.30 -
Symantec 10 2008.01.01 -
TheHacker 6.2.9.176 2008.01.01 -
VBA32 3.12.2.5 2007.12.31 -
VirusBuster 4.3.26:9 2008.01.01 -
Webwasher-Gateway 6.6.2 2007.12.31 Trojan.Crypt.XDR.Gen
Filename: kavo0.dll - kavo1.dll
File size: 96768 bytes
MD5: 907a30b8c1f68f01b89b7a4a2f49be74
SHA1: 86133536954be5add3103c828ce5f1e53c3fd004
PEiD: PolyEnE 0.01+ by Lennart Hedlund [Overlay] *
QUOTEFile kavo1.dll received on 01.10.2008 20:06:15
AhnLab-V3 2008.1.11.10 2008.01.10 -
AntiVir 7.6.0.46 2008.01.10 TR/Crypt.NSPM.Gen
Authentium 4.93.8 2008.01.09 -
Avast 4.7.1098.0 2008.01.09 -
AVG 7.5.0.516 2008.01.10 -
BitDefender 7.2 2008.01.10 Trojan.PWS.Onlinegames.NXE
CAT-QuickHeal 9.00 2008.01.10 -
ClamAV 0.91.2 2008.01.10 -
DrWeb 4.44.0.09170 2008.01.10 Trojan.PWS.Wsgame.2486
eSafe 7.0.15.0 2008.01.09 -
eTrust-Vet 31.3.5446 2008.01.10 -
Ewido 4.0 2008.01.10 -
FileAdvisor 1 2008.01.10 -
Fortinet 3.14.0.0 2008.01.10 -
F-Prot 4.4.2.54 2008.01.09 -
F-Secure 6.70.13030.0 2008.01.10 -
Ikarus T3.1.1.20 2008.01.10 Trojan-PWS.OnlineGames.NXE
Kaspersky 7.0.0.125 2008.01.10 -
McAfee 5204 2008.01.10 -
Microsoft 1.3109 2008.01.10 VirTool:Win32/Obfuscator!Mal
NOD32v2 2781 2008.01.10 Win32/Pacex.Gen
Norman 5.80.02 2008.01.10 -
Panda 9.0.0.4 2008.01.10 Suspicious file
Prevx1 V2 2008.01.10 Generic.Malware
Rising 20.26.32.00 2008.01.10 Packer.Win32.Mian007.a
Sophos 4.24.0 2008.01.10 -
Sunbelt 2.2.907.0 2008.01.10 -
Symantec 10 2008.01.10 -
TheHacker 6.2.9.185 2008.01.09 -
VBA32 3.12.2.5 2008.01.10 -
VirusBuster 4.3.26:9 2008.01.10 -
Webwasher-Gateway 6.6.2 2008.01.10 Trojan.Crypt.NSPM.Gen
Visible signs
Logfile of Trend Micro HijackThis v2.0.2
...
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
Other known filenames are amvo.exe (older version), avpo.exe
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
Technical details
Registry changes.
- Creates a Legacy entry without adding the correspondig service.QUOTEHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRFDEWSXZQ "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRFDEWSXZQ\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRFDEWSXZQ\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRFDEWSXZQ\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRFDEWSXZQ\0000 "DeviceDesc"
Type: REG_SZ
Data: trfdewsxzq
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRFDEWSXZQ\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRFDEWSXZQ\0000 "Service"
Type: REG_SZ
Data: trfdewsxzq
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRFDEWSXZQ\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRFDEWSXZQ\0000\Control "ActiveService"
Type: REG_SZ
Data: trfdewsxzq - Creates a loading point in order to start on each boot.QUOTEHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "kava"
Type: REG_SZ
Data: C:\WINDOWS\system32\kavo.exe - Keeps track of which version is installed.QUOTEHKEY_CLASSES_ROOT\CLSID\MADOWN "urlinfo"
Type: REG_SZ
Data: vcver3.0 - Modifies Explorer settings so that hidden files can't be viewed.QUOTEHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 01, 00, 00, 00
New data: 02, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 01, 00, 00, 00
New data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL "CheckedValue"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 01, 00, 00, 00
New data: 00, 00, 00, 00
Note:%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).QUOTEc:\autorun.inf
Date: 1/11/2008 4:52 PM
Size: 475 bytes
c:\g2p3s.exe
Date: 1/11/2008 4:50 PM
Size: 116 686 bytes
%Temp%\4z5zdceq.dll
Date: 1/11/2008 4:49 PM
Size: 32 125 bytes
%Temp%\mpt.dll
Date: 1/11/2008 4:50 PM
Size: 32 402 bytes
c:\Documents and Settings\[User Name]\Local Settings\Temporary Internet Files\Content.IE5\92R4PBXU\zz[1].rar
Date: 1/11/2008 4:49 PM
Size: 64 bytes
c:\Documents and Settings\[User Name]\Local Settings\Temporary Internet Files\Content.IE5\J1GDZ2YZ\zz[1].exe
Date: 1/11/2008 4:50 PM
Size: 116 686 bytes
%system%\kavo.exe
Date: 1/11/2008 4:50 PM
Size: 116 686 bytes
%system%\kavo0.dll
Date: 1/11/2008 4:49 PM
Size: 96 768 bytes
%system%\kavo1.dll
Date: 1/11/2008 4:50 PM
Size: 96 768 bytes
%system% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Rootkit scan
QUOTEGMER 1.0.14.14060 - http://www.gmer.net
Rootkit scan 2008-01-11 17:16:30
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \??\C:\WINDOWS\system32\wincab.sys ZwEnumerateKey [0xF9DE4AB0]
SSDT \??\C:\WINDOWS\system32\wincab.sys ZwEnumerateValueKey [0xF9DE49A4]
SSDT \??\C:\WINDOWS\system32\wincab.sys ZwOpenProcess [0xF9DE47D2]
Code 8155C12B Kei386EoiHelper
---- Kernel code sections - GMER 1.0.14 ----
? C:\WINDOWS\system32\wincab.sys The system cannot find the file specified. !
---- Devices - GMER 1.0.14 ----
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_CREATE [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_CREATE_NAMED_PIPE [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_CLOSE [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_READ [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_WRITE [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_QUERY_INFORMATION [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_SET_INFORMATION [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_QUERY_EA [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_SET_EA [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_FLUSH_BUFFERS [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_QUERY_VOLUME_INFORMATION [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_SET_VOLUME_INFORMATION [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_DIRECTORY_CONTROL [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_FILE_SYSTEM_CONTROL [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_DEVICE_CONTROL [F9DE4D4E] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_INTERNAL_DEVICE_CONTROL [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_SHUTDOWN [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_LOCK_CONTROL [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_CLEANUP [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_CREATE_MAILSLOT [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_QUERY_SECURITY [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_SET_SECURITY [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_POWER [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_SYSTEM_CONTROL [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_DEVICE_CHANGE [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_QUERY_QUOTA [F9DE4D3C] wincab.sys
Device \Driver\trfdewsxzq \Device\trfdewsxzq IRP_MJ_SET_QUOTA [F9DE4D3C] wincab.sys
---- EOF - GMER 1.0.14 ----
Notes
- Makes copies of itself on Flash / Removable Drives in order to propagate itself.
- Adds a Registry Key (RUN) to auto start on system boot up.
- Installs a driver (rootkit) and writes to the virtual memory of iexplore and explorer.exe.
- Creates 2 event entries under the explorer.exe process named Game_start and a second one with a RANDOM NAME.
- Loads kavo0.dll or kavo1.dll (*see below) under the System Process and explorer.exe. Afterwards the dll is loaded under almost every program launched. Such behavior could take control of the system, record keystrokes, monitor mouse activity etc ...
- Checks if an update is available after install and upon reboot of the computer. If a never version is available, downloads and installs it.
Driver Notes
Technique used is rather surprising. C:\WINDOWS\system32\wincab.sys really doesn't exist on the drive. How does it work then ?
- When kavo.exe is executed, it drops 4z5zdceq.dll in the %Temp% folder. The dll name is different for each version of the malware. 4z5zdceq.dll is detected as Trojan-PSW.Win32.OnLineGames.nnt.
- kavo.exe loads the dll and writes h7.sys to the %Temp% folder. Driver name is random.
- h7.sys is loaded by the System Process.
- kavo.exe deletes h7.sys.
- kavo.exe launches a hidden iexplore.exe process and writes to its virtual memory.
- Internet Explorer loads %Temp%\4z5zdceq.dll.
- kavo.exe copies itself to %system%\kavo.exe.
- kavo.exe drops kavo0.dll into system32 folder.
- In meanwhile, Internet Explorer writes wincab.sys to the system32 folder.
- The System Process loads wincab.sys
- Internet Explorer markes wincab.sys for deletion.
- A new thread is created by explorer.exe in order to load %system%\kavo0.dll
- Explorer creates a new hidden Internet Explorer process and zz.rar is downloaded from internet. This file tells if an update is available.
- If an update is available, zz.exe is downloaded from the web and both files are copied into the %Temp% folder. Files may have another name, they are different for each update.
- In meanwhile, explorer.exe copies %system%\kavo.exe to c:\g2p3s.exe (different filename for each version) and creates the c:\autorun.inf file. If any removable drives are present, those files are also copied to the root folder. This method ensures that the malware will propagate on another computer if the flash drive is plugged in.
- If an update was available, it's installed using the same method as described in point 1 to 12.
- When the update tries to overwrite %system%\kavo0.dll, a sharing violation is triggered. The file is then dropped as kavo1.dll. That is why you will see both files present most of the time.
Since kavo.exe is set to run each time windows starts, the rootkit will be reinstalled every time you restart / boot up the PC.
The files are very difficult to delete, partially due to the presence of the rootkit but also because the infection checks every 30 seconds if %system%\kavo.exe, c:\g2p3s.exe and c:\autorun.inf are still present. If not, they are re-created.
Click on the image to enlarge
Offending IP
www.1a123.com - 61.162.230.89
QUOTE
IP Location - Beijing - Beijing - Cncgroup Shandong Province Network
Domain Name.......... 1a123.com
Creation Date........ 2006-11-13 09:45:21
Registration Date.... 2006-11-13 09:45:21
Expiry Date.......... 2008-11-13 09:45:21
Organisation Name.... chenhuazhen
Organisation Address. guangdongsheng
Organisation Address.
Organisation Address. guangzhou
Organisation Address. 525437
Organisation Address. GD
Organisation Address. CN
Admin Name........... chen huazhen
Admin Address........ guangdongsheng
Admin Address........
Admin Address........ guangzhou
Admin Address........ 525437
Admin Address........ GD
Admin Address........ CN
Admin Phone.......... +86.13143337732
Admin Fax............ +86.13143337732
Tech Name............ chen huazhen
Tech Address......... guangdongsheng
Tech Address.........
Tech Address......... guangzhou
Tech Address......... 525437
Tech Address......... GD
Tech Address......... CN
Tech Phone........... +86.13143337732
Tech Fax............. +86.13143337732
Bill Name............ chen huazhen
Bill Address......... guangdongsheng
Bill Address.........
Bill Address......... guangzhou
Bill Address......... 525437
Bill Address......... GD
Bill Address......... CN
Bill Phone........... +86.13143337732
Bill Fax............. +86.13143337732
Name Server.......... ns1.dns.com.cn
Name Server.......... ns2.dns.com.cn
Domain Name.......... 1a123.com
Creation Date........ 2006-11-13 09:45:21
Registration Date.... 2006-11-13 09:45:21
Expiry Date.......... 2008-11-13 09:45:21
Organisation Name.... chenhuazhen
Organisation Address. guangdongsheng
Organisation Address.
Organisation Address. guangzhou
Organisation Address. 525437
Organisation Address. GD
Organisation Address. CN
Admin Name........... chen huazhen
Admin Address........ guangdongsheng
Admin Address........
Admin Address........ guangzhou
Admin Address........ 525437
Admin Address........ GD
Admin Address........ CN
Admin Phone.......... +86.13143337732
Admin Fax............ +86.13143337732
Tech Name............ chen huazhen
Tech Address......... guangdongsheng
Tech Address.........
Tech Address......... guangzhou
Tech Address......... 525437
Tech Address......... GD
Tech Address......... CN
Tech Phone........... +86.13143337732
Tech Fax............. +86.13143337732
Bill Name............ chen huazhen
Bill Address......... guangdongsheng
Bill Address.........
Bill Address......... guangzhou
Bill Address......... 525437
Bill Address......... GD
Bill Address......... CN
Bill Phone........... +86.13143337732
Bill Fax............. +86.13143337732
Name Server.......... ns1.dns.com.cn
Name Server.......... ns2.dns.com.cn
Websites.
- 1a123.com
- 456kill.com
QUOTE
IP Location - Beijing - Beijing - Chinanet Anhui Province Network
Domain Name:om7890.com
Registrant:
chengxiaowu
shanghai
510000
Administrative Contact:
cheng xiaowu
chengxiaowu
shanghai
shanghai Shanghai 510000
China
tel: 86 021 8883728
fax: 86 021 8883728
Technical Contact:
cheng xiaowu
chengxiaowu
shanghai
shanghai Shanghai 510000
China
tel: 86 021 8883728
fax: 86 021 8883728
Billing Contact:
cheng xiaowu
chengxiaowu
shanghai
shanghai Shanghai 510000
China
tel: 86 021 8883728
fax: 86 021 8883728
Registration Date: 2007-02-14
Update Date: 2007-02-14
Expiration Date: 2008-02-14
Primary DNS: ns2.xinnetdns.com 210.51.170.48
Secondary DNS: ns2.xinnet.cn 210.51.170.67
Domain Name:om7890.com
Registrant:
chengxiaowu
shanghai
510000
Administrative Contact:
cheng xiaowu
chengxiaowu
shanghai
shanghai Shanghai 510000
China
tel: 86 021 8883728
fax: 86 021 8883728
Technical Contact:
cheng xiaowu
chengxiaowu
shanghai
shanghai Shanghai 510000
China
tel: 86 021 8883728
fax: 86 021 8883728
Billing Contact:
cheng xiaowu
chengxiaowu
shanghai
shanghai Shanghai 510000
China
tel: 86 021 8883728
fax: 86 021 8883728
Registration Date: 2007-02-14
Update Date: 2007-02-14
Expiration Date: 2008-02-14
Primary DNS: ns2.xinnetdns.com 210.51.170.48
Secondary DNS: ns2.xinnet.cn 210.51.170.67
Websites.
- Microsofthg.com
- Microsoftmg.com
- Microsoftrb.com
- Om7890.com
- Tw7890.com