McAfee > Theat Center > Virus Detail Page

Overview

--

This description is for a password stealing trojan which attempts to steal user information for certain online games.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Trj/Lineage.BZE [Panda]

• Trojan.Win32.Vaklik.bkh [Kaspersky]

• Trojan:Win32/Meredrop [Microsoft]

• W32.Gammima.AG [Symantec]

• W32/Autorun-CL [Sophos]

Characteristics

-- Update August 29, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.bbc.co.uk/1/hi/technology/7583805.stm

--

When executed, this password stealer drops a copy of itself in the following locations:

• %windir%\system32\tavo.exe
• %windir%\system32\tavo0.dll [Injected into many running processes]
• %temp%\lawb.dll

The tavo0.dll file harvests the names of gaming servers, players passwords, PIN numbers and other information for well known online games and this information may be uploaded to a pre-defined site as configured by the attacker.

The malware also attempts to download an updated copy of itself, from the following URLs:

• www.hgff46.net/[removed]/ff.exe
• www.hgff46.net/[removed]/cc.exe

These downloaded files drop the following files which are new variants of the same malware:

• %windir%\system32\tavo.exe
• %windir%\system32\tavo1.dll
• %windir%\system32\kavo0.exe
• %windir%\system32\kavo0.dll
• %systemdrive%\l1.com
• %systemdrive%\autorun.inf
• %windir%\xmg.exe
• %windir%\tt.exe
• %windir%\rb.exe
• %windir%\system32\mmvo.exe
• %windir%\system32\mmvo0.dll
• %windir%\system32\ckvo.exe
• %windir%\system32\ckvo0.dll

The malware also creates the following registry keys to ensure the malware's execution at system startup:

• HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run "kava"
  Data: %windir%\system32\kavo.exe
• HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run "tava"
  Data: %windir%\system32\tavo.exe

The following security related processes may be terminated by the malware:

• Kav.exe
• Rav.exe
• Avp.exe
• Kavsvc.exe

This password stealer is also capable of spreading through removable devices by dropping a copy of itself along with an AutoRun.inf configuration file in all removable devices, the root of all fixed drives and the system folders.

"Autorun.inf" is a text based configuration file which instructs the Windows operating system to perform some action upon opening a network shared drive, local folder, floppy drive, CD-ROM drive or the insertion of a removable disk drive.

This configuration file is usually intended as a convenience feature, however is often misused by malware authors to create malware that spread automatically without any user interaction.

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System32 for Windows XP

Given below is a screenshot of the contents of a typical Autorun.inf configuration file:

Miscellaneous Information:

Users who would like to prevent worms which execute without any user interaction using an “AutoRun.inf” file, can disable the Windows AutoRun feature completely with the help of the Windows group policy editor (Gpedit.msc).

ScreenShot below:

Symptoms

• Presence of files and registry entries mentioned earlier
• Software based firewall, if any installed on the machine, might alert about an unknown program attempting to connect to the internet

Method of Infection

This password stealer may spread by copying itself to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

The malware can also spread manually, under the premise that the executable is something beneficial. It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Variants

Variants

N/A

All Information

Overview -

-- Update August 29, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.bbc.co.uk/1/hi/technology/7583805.stm

--

This description is for a password stealing trojan which attempts to steal user information for certain online games.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Trj/Lineage.BZE [Panda]

• Trojan.Win32.Vaklik.bkh [Kaspersky]

• Trojan:Win32/Meredrop [Microsoft]

• W32.Gammima.AG [Symantec]

• W32/Autorun-CL [Sophos]

Characteristics

Characteristics -

-- Update August 29, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.bbc.co.uk/1/hi/technology/7583805.stm

--

When executed, this password stealer drops a copy of itself in the following locations:

• %windir%\system32\tavo.exe
• %windir%\system32\tavo0.dll [Injected into many running processes]
• %temp%\lawb.dll

The tavo0.dll file harvests the names of gaming servers, players passwords, PIN numbers and other information for well known online games and this information may be uploaded to a pre-defined site as configured by the attacker.

The malware also attempts to download an updated copy of itself, from the following URLs:

• www.hgff46.net/[removed]/ff.exe
• www.hgff46.net/[removed]/cc.exe

These downloaded files drop the following files which are new variants of the same malware:

• %windir%\system32\tavo.exe
• %windir%\system32\tavo1.dll
• %windir%\system32\kavo0.exe
• %windir%\system32\kavo0.dll
• %systemdrive%\l1.com
• %systemdrive%\autorun.inf
• %windir%\xmg.exe
• %windir%\tt.exe
• %windir%\rb.exe
• %windir%\system32\mmvo.exe
• %windir%\system32\mmvo0.dll
• %windir%\system32\ckvo.exe
• %windir%\system32\ckvo0.dll

The malware also creates the following registry keys to ensure the malware's execution at system startup:

• HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run "kava"
  Data: %windir%\system32\kavo.exe
• HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run "tava"
  Data: %windir%\system32\tavo.exe

The following security related processes may be terminated by the malware:

• Kav.exe
• Rav.exe
• Avp.exe
• Kavsvc.exe

This password stealer is also capable of spreading through removable devices by dropping a copy of itself along with an AutoRun.inf configuration file in all removable devices, the root of all fixed drives and the system folders.

"Autorun.inf" is a text based configuration file which instructs the Windows operating system to perform some action upon opening a network shared drive, local folder, floppy drive, CD-ROM drive or the insertion of a removable disk drive.

This configuration file is usually intended as a convenience feature, however is often misused by malware authors to create malware that spread automatically without any user interaction.

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System32 for Windows XP

Given below is a screenshot of the contents of a typical Autorun.inf configuration file:

Miscellaneous Information:

Users who would like to prevent worms which execute without any user interaction using an “AutoRun.inf” file, can disable the Windows AutoRun feature completely with the help of the Windows group policy editor (Gpedit.msc).

ScreenShot below:

Symptoms

Symptoms -

• Presence of files and registry entries mentioned earlier
• Software based firewall, if any installed on the machine, might alert about an unknown program attempting to connect to the internet

Method of Infection

Method of Infection -

This password stealer may spread by copying itself to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

The malware can also spread manually, under the premise that the executable is something beneficial. It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Variants

Variants -

N/A