| Malware name | Trojan.Kavimondas.B | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 7A98EA306DF98711D467C10194788FC4 | | Static file | yes | | Filesize | 131,584 Bytes | Alias names
(also known as) | | Sophos | Mal/EncPk-CE | | McAfee | PWS-Gamania.gen.a | | CA ETrust | Win32/Frethog!generic |
| | Side effects | - Downloads a malicious file
- Steals information
| | Propagation | No own spreading routine |
|
Description:
Files
It tries to download some files:
– The location is the following:
• http://www.456kill.com/**********/zz.rar
It is saved on the local hard drive under: %TEMPDIR%\zz.rar This file may contain further download locations and might serve as source for new threats.
– The location is the following:
• http://www.dfsas23.com/**********/zz.exe
It is saved on the local hard drive under: %TEMPDIR%\zz.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as:
3209 Stealing
It tries to steal the following information:
– Passwords from the following programs:
• cabalmain.exe
• wow.exe
• elementclient.exe
• Ragexe.exe
• RagFree.exe
• ybclient.exe
• wsm.exe
• ZodiacOnline.exe
• so3d.exe
• maplestory.exe
• gersang.exe
• fairyclient.exe
• hyo.exe
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
