Win32/Ciavax [Threat Name] go to Threat

Win32/Ciavax.A [Threat Variant Name]

Category trojan
Size 69632 B
Aliases Trojan.Win32.Cidox.afag (Kaspersky)
  Worm:Win32/Dorkbot.AS (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %personal%\­Application Data\­explorer.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "~backup~" = "%personal%\­Application Data\­explorer.exe"

The trojan launches the following processes:

  • %windir%\­explorer.exe

The trojan creates and runs a new thread with its own program code in all running processes.

Information stealing

The trojan collects the following information:

  • operating system version
  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (4) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • monitor network traffic
  • modify network traffic
  • modify website content

The trojan alters the behavior of the following processes:

  • browser.exe
  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe

The trojan hooks the following Windows APIs:

  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • WSASend (ws2_32.dll)

The trojan creates the following files:

  • %cookies%\­cf
  • %personal%\­Application Data\­explorer.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.