Hi Sonichko,
1. COVERT ANALYSIS OF: KAVO.EXE
* File Names Used: 7
* Paths Used: 5
* Common File Name: KAVO.EXE
* Common Path: %TEMP%\
* Vendor Information: No Vendor details specified
* KAVO.EXE may use 7 or more path and file names, these are the most common:
* 1 :%CACHE%\CONTENT.IE5\
??\AA[1].EXE
* 2 :%CACHE%\CONTENT.IE5\
??\HELP[1].EXE
* 3 :%CACHE%\CONTENT.IE5\
??\LL[1].EXE
* 4 :%WINDIR%\AF.EXE
* 5 :%WINDIR%\SYSTEM32\KAVO.EXE
* File Name Structure: Normal
* File and Path Structure: Suspicious, code execution from unusual location
2. RELATIONSHIP ANALYSIS OF: KAVO.EXE
* Malicious Objects Created: 2 objects
* Malicious Creators: 1
* Malware Run Keys: None
* Self Persists:
* Antivirus Detection: No third party antivirus detection observed
* Anti-Spyware Detection: No third party anti-spyware detection observed
3. ACTIVITY ANALYSIS OF: KAVO.EXE
* The following behaviors have been observed for this object:
* Installs programs.
* Deletes programs.
* Creates Run Keys.
* Runs other programs.
* Hijacks running processes.
* Creates known malware.
* Creates copies of itself.
4. PROPAGATION ANALYSIS OF: KAVO.EXE
* Malware Group Propagation Rate: Moderate (spreading)
* Malware Group: Covert Sys Exec
polonus