Win32/Ciavax [Threat Name] go to Threat

Win32/Ciavax.C [Threat Variant Name]

Category trojan
Size 86016 B
Aliases Worm:.Win32/Dorkbot.AS (Microsoft)
  Trojan.Mayachok.18634 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %mydocuments%\­Application Data\­explorer.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­­Software\­­Microsoft\­­Windows\­­CurrentVersion\­­Run]
    • "~backup~" = "%mydocuments%\­­Application Data\­­explorer.exe"

After the installation is complete, the trojan deletes the original executable file.

The trojan executes the following files:

  • %windir%\­explorer.exe

The trojan creates and runs a new thread with its own code within these running processes.

The trojan may create and run a new thread with its own program code within any running process.

Information stealing

Win32/Ciavax.C is a trojan that steals sensitive information.

The trojan collects the following information:

  • information about the operating system and system settings
  • default Internet browser
  • the list of installed software

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (19) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • monitor network traffic
  • modify network traffic
  • modify the content of websites
  • send gathered information

The trojan injects JavaScript code into web pages visited by the user.

The trojan affects the behavior of the following applications:

  • chrome.exe
  • firefox.exe
  • opera.exe
  • iexplore.exe
  • browser.exe

The trojan hooks the following Windows APIs:

  • send (ws2_32.dll)
  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)

The trojan may create the following files:

  • %mydocuments%\­Application Data\­explorer.exe
  • %mydocuments%\­Application Data\­explorer.dat
  • %mydocuments%\­Application Data\­explorer.reg
  • %mydocuments%\­Application Data\­~dwnld.exe
  • %cookies%\­cfid
  • %cookies%\­cf
  • %system%\­explorer.dll

Please enable Javascript to ensure correct displaying of this content and refresh this page.