Aveo

Posted: August 18, 2016
Threat Metric
Threat Level: 8/10
Infected PCs 148

Aveo Description

Aveo is a backdoor Trojan that gives remote attackers control over reading and writing files on your PC. Associated security issues may provoke the installation of new threats besides Aveo, or help the Trojan's administrators collect confidential information. Defenses against Aveo's campaign that malware experts currently recommend include scanning unidentified e-mail content and using anti-malware products to remove Aveo if it does succeed in installing itself.

Threat's Back Door into the Nation of Japan

In their simplest formats, backdoor Trojans are not extremely sophisticated threats but do include attack features capable of creating enormous security implications. Even ones based on previously-examined families may avoid outdated identification methods while collecting sensitive data, disabling essential settings or installing other programs. For an example specific to a single country, malware analysts can point out Aveo, a variant of DragonOK (or FormerFirstRAT).

Like its predecessor in backdoor attacks, Aveo only targets Japanese PC owners. Its installer is a disguised e-mail attachment that loads a spreadsheet in Japanese text while also installing Aveo, and then using a batch script for removing any file system-based traces of the act. The spreadsheet's contents invoke data related to a research initiative by the Saitama Institute of Technicalnology, providing a possible clue as to which entities are preferred targets.

Features of Aveo that malware analysts found significant include:

  • Aveo uses a Registry modification to maintain persistence in your system after any reboots.
  • Aveo transfers some essential system information, such as the version of Windows and IP addresses, to a C&C server. Remote attackers may use these identifiers for coordinating other attacks through their backdoor. Aveo conceals this traffic with an RC4 data-encrypting algorithm using a methodology identical to that of its 2015 family, DragonOK/FormerFirstRAT.
  • This backdoor Trojan also has simple, but comprehensive access to the infected PC's file system. Aveo may read existent content, write new data, examine drive lists and directories, and analyze any individual file attributes.

Excelling at Blocking Fake Excel Attacks

Besides its highly geographically-specialized campaign, Aveo's infection vectors also show other characteristics making their visual identification possible. PC owners believing themselves at risk should look for attachments using Microsoft Excel's spreadsheet icon, which the campaign uses to hide the fact that the attachment is an intentionally-misnamed executable. Since Aveo's installer includes a document as a distraction from its real purpose, seeing a spreadsheet open after launching the attachment isn't an indication of safety.

Aveo and FormerFirstRAT are not rated as being especially highly-developed threats by malware analysts but do provide fully-functional backdoors through which con artists may access and control your PC. Assume that Aveo is active until you take steps to disable it, such as booting directly from a recovery device. As always, your anti-malware programs, if kept patched, should detect and delete Aveo during their scheduled or manual system scans.

Ordinarily, e-mail is a technicalnological innovation that has provided incalculable benefit to individuals, businesses, governments and NGOs communicate with one another. However, Japanese PC users forgetting that digital communication also may be a threat attack vector soon may find themselves losing control of the PCs they own.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Aveo may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



cd6d979280146c3205010ac3c4b81d02 File name: cd6d979280146c3205010ac3c4b81d02
Size: 241.68 KB (241688 bytes)
MD5: cd6d979280146c3205010ac3c4b81d02
Detection count: 23
Group: Malware file
Last Updated: August 19, 2016

Registry Modifications


The following newly produced Registry Values are:

Registry keySOFTWARE\microsoft\windows\currentversion\run\msnetbridge

Related Posts

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.