Content
W32/Autorun.worm!F5EDC36C
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 04/20/2008
- Length
- 116,814
- Minimum DAT
- 5279 (04/22/2008)
- Updated DAT
- 5279 (04/22/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 04/20/2008
- Description Modified
- 04/20/2008 10:29 PM (PT)
Tab Navigation
Characteristics
W32/Autorun.worm!F5EDC36C has the following attributes:
- File size: 116,814 bytes
- MD5: 60F5BED2E239731A6AB4EFC341A922C2
- CRC32: F5EDC36C
Upon execution, the worm drops the following files:
- %WINDOWS%\system32\kavo.exe (W32/Autorun.worm!F5EDC36C)
- %WINDOWS%\system32\kavo0.dll (detected as PWS-OnlineGames.a trojan since DAT 5278)
(where %WINDOWS% is the Windows directory e.g C:\Windows)
The worm modifies the following registry keys:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"kava" = %WINDOWS%\system32\kavo0.dll - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"Hidden" = 2 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"ShowSuperHidden" = 0
The worm injects the dll file "kavo0.dll" into processes to monitor the folloiwng online game processes.
- coc.exe
- ge.exe
- RagFree.exe
- Ragexe.exe
- so3d.exe
- wsm.exe
- ybclient.exe
- ZodiacOnline.exe
It also accesses the following files to steal accounts information:
- .\config.ini
- Online6.dat
- \woool.dat
- \WTF\config.wtf
- \ztpao.dat
It sends the gathered information to the following sites:
- 61.220.56.[removed]
- 61.220.60.[removed]
- 61.220.62.[removed]
- 203.69.46.[removed]
Symptoms
Presence of previously mentioned files and registry keys.
Presence of network connection to previously mentioned IP addresses.
Method of Infection
The following files are written to root of writeable volumes:
- [Drive]:\autorun.inf
- [Drive]:\c.com (W32/Autorun.worm!F5EDC36C)
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is a description of a specific sample variant of W32/Autorun.worm.h and is detected under the unqualified name detected with DAT 5278.
Characteristics
Characteristics -
W32/Autorun.worm!F5EDC36C has the following attributes:
- File size: 116,814 bytes
- MD5: 60F5BED2E239731A6AB4EFC341A922C2
- CRC32: F5EDC36C
Upon execution, the worm drops the following files:
- %WINDOWS%\system32\kavo.exe (W32/Autorun.worm!F5EDC36C)
- %WINDOWS%\system32\kavo0.dll (detected as PWS-OnlineGames.a trojan since DAT 5278)
(where %WINDOWS% is the Windows directory e.g C:\Windows)
The worm modifies the following registry keys:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"kava" = %WINDOWS%\system32\kavo0.dll - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"Hidden" = 2 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"ShowSuperHidden" = 0
The worm injects the dll file "kavo0.dll" into processes to monitor the folloiwng online game processes.
- coc.exe
- ge.exe
- RagFree.exe
- Ragexe.exe
- so3d.exe
- wsm.exe
- ybclient.exe
- ZodiacOnline.exe
It also accesses the following files to steal accounts information:
- .\config.ini
- Online6.dat
- \woool.dat
- \WTF\config.wtf
- \ztpao.dat
It sends the gathered information to the following sites:
- 61.220.56.[removed]
- 61.220.60.[removed]
- 61.220.62.[removed]
- 203.69.46.[removed]
Symptoms
Symptoms -
Presence of previously mentioned files and registry keys.
Presence of network connection to previously mentioned IP addresses.
Method of Infection
Method of Infection -
The following files are written to root of writeable volumes:
- [Drive]:\autorun.inf
- [Drive]:\c.com (W32/Autorun.worm!F5EDC36C)
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
