Subscriptions | RSS Feeds | Discussions | Polls | Site Map


All Threats	Viruses	Hackers	Spam

Whole site

Viruses

If Your Computer Is Infected

Malware Description Search

Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Internet Worms

Worm.Win32.AutoRun.bhx

Detection added Dec 27 2007 08:29 GMT

Update released Dec 27 2007 11:51 GMT

Description added Apr 18 2008

Behavior Internet Worm

Technical details

This worm creates copies of itself on removable storage media. It is a Windows PE EXE file. It is 115760 bytes in size.

Installation

Once launched, the worm copies its executable file to the Windows system directory:

%System%\kavo.exe

In order to ensure that the worm is launched automatically each time the system is restarted, the worm adds a link to its executable file to the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

"kava" = "%System%\kavo.exe"

The worm also extracts the following file from its body:

%System%\kavo0.dll

This file is 89088 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-PSW.Win32.OnLineGames.mbs.

The worm also extracts a file 31545 bytes in size from its body:

%Temp%\<rnd>.dll

Propagation

The worm copies its executable file to the root of each partition under the following name:

<X>:\XAdeIect.com

In addition to its executable file, the worm also places the file shown below in the root directory of every disk:

<x>:\autorun.inf

<X> indicates the relevant partition.

This file will launch the worm's executable file each time the user opens the infected partition using Explorer.

Payload

The worm loads the .dll file to all active processes.

The worm also intercepts mouse and keyboard events if one of the processes listed below has been launched:

maplestory.exe
dekaron.exe
gc.exe
RagFree.exe
Ragexe.exe
ybclient.exe
wsm.exe
sro_client.exe
so3d.exe
ge.exe
elementclient.exe

The worm harvests account data relating to the following games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver

Harvested data is sent to the remote malicious user's site.

The worm also modifies the following system registry key parameter values:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
der\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91"

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the following file:

%System%\kavo.exe

Reboot the computer.
Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
Delete the following system registry key parameter values:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%System%\kavo.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidde
n\SHOWALL]
"CheckedValue" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91"
Delete the following files:
%Temp%\<rnd>.dll

%System%\kavo0.dll
Delete the following files from all removable disks:
<X>:\XAdeIect.com

<x>:\autorun.inf

<X> stands for the letter of the removable disk.
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Email: webmaster@viruslist.com

All Threats

Viruses

Hackers

Spam

Worm.Win32.AutoRun.bhx

Installation

Propagation