Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:26/02/2009
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:High
Static file:Yes
File size:172.207 Bytes
MD5 checksum:d6614007059d24844269db6ef460e4d9
IVDF version: - Friday, February 6, 2009

 General Aliases:
   •  Symantec: W32.SillyFDC
   •  Sophos: Mal/Generic-A
   •  Panda: W32/Lineage.KYR
   •  Eset: Win32/PSW.OnLineGames.NNU

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\kva8wr.exe
   • %drive%\

It renames the following files:

      %malware execution directory% into c:\%existing file or directory%.vcd

It deletes the initially executed copy of itself.

It deletes the following file:
   • %SYSDIR%\drivers\cdaudio.sys

It may corrupt the following file:
   • %SYSDIR%\drivers\cdaudio.sys

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\drivers\klif.sys Further investigation pointed out that this file is malware, too. Detected as: Rkit/Agent.4160

%SYSDIR%\bgotrtu0.dll Detected as: TR/Vundo

%SYSDIR%\uweyiwe0.dll Detected as: TR/Crypt.XPACK.Gen


It tries to download some files:

The location is the following:

The location is the following:

 Registry One of the following values is added in order to run the process after reboot:

   • "kvasoft"="%SYSDIR%\kva8wr.exe"

The following registry keys are added in order to load the service after reboot:

   • "Type"=dword:00000001

The following registry keys are changed:

Various Explorer settings:
   New value:
   • "NoDriveTypeAutoRun"=dword:00000091

   New value:
   • "CheckedValue"=dword:00000000

   New value:
   • "ShowSuperHidden"=dword:00000001

 Injection –  It injects the following file into a process: %SYSDIR%\uweyiwe0.dll

 It injects a process watching routine into a process.

    Process name:
   • explorer.exe

 Rootkit Technology Hides the following:
– Its own process

Method used:
     Hidden from Master File Table (MFT)
     Hidden from Windows API
     Hidden from Interrupt Descriptor Table (IDT)

Description inserted by Petre Galan on Monday, July 6, 2009
Description updated by Petre Galan on Tuesday, August 18, 2009

Back . . . .