Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'kava' = '<SYSTEM32>\kavo.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\ntdelect.com
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Installs hooks to intercept notifications
on keystrokes:
- Handler for all processes: <SYSTEM32>\kavo0.dll
Searches for windows to
bypass different anti-viruses:
- ClassName: 'AVP.Product_Notification' WindowName: ''
- ClassName: 'AVP.AlertDialog' WindowName: ''
Hooks the following functions in System Service Descriptor Table (SSDT):
- NtOpenProcess, handler: wincab.sys
- NtEnumerateValueKey, handler: wincab.sys
- NtEnumerateKey, handler: wincab.sys
Forces autoplay for removable media.
Modifies file system :
Creates the following files:
- <SYSTEM32>\wincab.sys
- C:\ntdelect.com
- C:\autorun.inf
- <SYSTEM32>\kavo0.dll
- %TEMP%\wdagnb7.dll
- %TEMP%\206k9.sys
- <SYSTEM32>\kavo.exe
Sets the 'hidden' attribute to the following files:
- C:\autorun.inf
- <Drive name for removable media>:\ntdelect.com
- <Drive name for removable media>:\autorun.inf
- <SYSTEM32>\kavo.exe
- <SYSTEM32>\kavo0.dll
- C:\ntdelect.com
Deletes the following files:
- C:\autorun.inf
- <Drive name for removable media>:\ntdelect.com
- <Drive name for removable media>:\autorun.inf
- %TEMP%\206k9.sys
- <SYSTEM32>\wincab.sys
- C:\ntdelect.com
Deletes itself.
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
