Symptoms

Removal instructions:

Analyzed By

Technical Description:

The virus is initialy an executable file, when is launched does following:
    copies itself to %SYSTEM%\[virus_name].exe (e.g. ckvo.exe)
    drop %SYSTEM%\[virus_name][N].exe (e.g. ckvo1.dll) - which is used to monitors
    actions inside games executables(keystrokes)
    drops %TEMP%\f.dll - which contains the code for bellow mentioned actions  
    overwrittes: %SYSTEM%\drivers\vga.sys and loads this driver.
    In order to be launched when partitions' root folders are accesed from Explorer, the malware creates
    in this locations the files autorun.inf and ffocj.com, which is a copy of the malware.

    Creates [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "kamsoft"="C:\\WINDOWS\\system32\\ckvo.exe"
    and
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KAVsys]
    "Type"=dword:00000001
    "ErrorControl"=dword:00000001
    "Start"=dword:00000001
    "ImagePath"="\\??\\C:\\WINDOWS\\system32\\drivers\\vga.sys"

    Exporer.exe will be injected with first DLL to hook messeges changes between target applications and system in order to steal user data
    typed inside applications      

    Tries to download the file from following url: http://www.mgmicrosoft.com/[removed]/help1.rar
        

    Configurations about visibilty in Explorer of hidden files will be set  to "Not Show"
    and any try to modify these form "Folder Options" will be overwritten. Hidden files
    are still visible from other file system browsers
 
    target applications are some online games: Silkroad Online, KnightOnline, Lineage, Cabal Online.