When the worm executes, it creates the following files:
The file kavo0.dll is then injected into all running processes.
It also creates the following file, which is a copy of Hacktool.Rootkit
%Temp%\[RANDOM FILE NAME].dll
The worm then copies itself to all drives from C through Z as the following file:
It also creates the following file so that it executes whenever the drive is accessed:
Next, the worm creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"kava" = "%System%\kavo.exe"
It then modifies the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer\"NoDriveTypeAutoRun" = "0x91"
The worm checks if it has been injected into any of the following processes:
- wsm.exe and ybclient.exe
It then attempts to steal sensitive information for the following online games:
- Wanmi Shijie or Perfect World
- Dekaron Siwan Mojie
- HuangYi Online
- Rexue Jianghu
- Seal Online
- Maple Story
- R2 (Reign of Revolution)
The worm ends the Matrix Password process if it finds a dialog box with the following characteristics:Title:
Warning! (In Chinese characters)
The harvested information is then sent to the remote attacker via HTTP.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":