Skip to content

Export page to PDF
TSPY_ONLINEG
Aliases: OnlineGames, Magania, Gamania, Taterf
Malware type: Spyware
Destructive: No
Platform: Windows 2000, Windows XP, Windows Server 2003
In the wild: Yes

Overview


KAVO malware are known for stealing account details for online games. They do so by monitoring game-related processes and websites. The stolen information consists of user names and passwords. These spyware may connect to specific URLs to download other components.

Aside from stealing information, KAVO malware can compromise a system's security. They may disable antivirus applications by terminating antivirus-related processes if found running on the affected system.

Interestingly, KAVO malware also check if the language of the system is not Chinese. There are some speculations that the creator of KAVO malware has origins in China, which may explain the connection of checking the operating system's language. However, there are no known perpetrators for KAVO malware as of 2012.

Technical Details

Memory resident: Yes
Payload: Connects to URLs/IPs, Steals information, Downloads files, Disables services, Compromises system security

Installation

This spyware drops the following copies of itself into the affected system:

  • %System%\{random 5 letters}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This spyware modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, {random 5 letters}.exe"

(Note: The default value data of the said registry entry is %System%\userinit.exe.)

Other System Modifications

This spyware adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
TabProcGrowth = "0"

HKEY_LOCAL_MACHINE\ SOFTWARE\ MICROSOFT\
Windows\ CURRENTVERSION\ URL
SystemMgr = "Del"

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\
protected\AVP7\profiles\
Updater
enabled = "0"

Other Details

This spyware connects to the following possibly malicious URL:

  • http://www.{BLOCKED}hhuo.net/mljs11/heihaahhuo.png
  • http://{BLOCKED}r.{BLOCKED}2.com/23weer/23weer.jpg
  • http://{BLOCKED}r.{BLOCKED}2.com/23weer/23weer.gif
  • http://www.{BLOCKED}a.com/images/china.jpg
  • http://www.{BLOCKED}a.com/images/china.gif
  • http://www.{BLOCKED}a.com/images/china.bmp

Analysis By: Dianne Lagrimas

Connect with us on