Home Malware Programs Trojans Kazy Trojan

Kazy Trojan

Posted: October 26, 2011

Threat Metric

Threat Level: 8/10
Infected PCs: 43,474
First Seen: January 19, 2011
Last Seen: May 20, 2023
OS(es) Affected: Windows

Kazy Trojan is a backdoor Trojan that can be configured to cause a range of attacks, but is particularly-known for attacking online bank-related information (thus causing Kazy Trojan to be dubbed a 'banker Trojan' or simply a 'banker'). Although there are many variants of Kazy Trojan that can be spread by different methods, SpywareRemove.com malware researchers have noticed recent e-mail spam attacks that install Kazy Trojan in the form of a fake password generator. This version of Kazy Trojan is also named in a misleading fashion and hides its true file type, and may directly attack anti-malware programs by deleting their files. If you suspect that you've been infected by Kazy Trojan, you should take steps to deactivate Kazy Trojan, such as rebooting in Safe Mode, and then run an appropriately-powerful anti-malware application (while reinstalling any deleted files, if this is necessary). You may also need to change passwords for your bank accounts to prevent criminals from using Kazy Trojan's stolen information to target you with online theft.

Kazy Trojan – a Not-So-Crazy Example of Why You Shouldn't Trust Strange E-mail Messages

Kazy Trojan can be distributed by many methods, including through malicious scripts that are embedded on hostile sites, through misleading advertisements and as part of an installation package for unrelated software. However, the most recent Kazy Trojan attack begins with a simple e-mail message with this subject line: 'Pick a Safe, Strong Password!' This is followed by the message reproduced below:

Kazy Trojan is included in the form of a link to an .exe file, supposedly for this (in fact, nonexistent) password-generating program. Other disguises that Kazy Trojan uses in the process of installing itself include a fake .gif format indicator and the name 'iexplorer.exe' (a slight variant of the Internet Explorer file name 'iexplore.exe'). Major problems that SpywareRemove.com malware experts have traced back to this variant of Kazy Trojan include:

  • Deletion of important files for anti-malware, anti-virus and anti-spyware programs. Kazy Trojan will delete these files to keep your PC security software non-functional, which makes it difficult to remove Kazy Trojan by appropriate methods.
  • Web browser hijacks that redirect you to phishing sites. Kazy Trojan is well-known for using phishing scams that present themselves in the form of fake online bank login pages, but you should be able to detect these scams by looking for minor variations in the web address or URL. If you enter your account information into these sites, you'll receive a generic error, and the criminals behind Kazy Trojan will have access to your account. Brazil-based banks are particularly-likely targets of Kazy Trojan phishing attempts.
  • Other attacks that attempt to violate your computer's security, including changes to your firewall or network settings.
  • Fake error messages that build up a pretense of your computer being infected with PC threats other than Kazy Trojan.

As a backdoor Trojan, Kazy Trojan can also be configured to cause other attacks that may vary in nature but are always harmful.

Restoring Sanity to Your PC by Packing Up Kazy Trojan

If you practice good Internet safety habits and delete this Kazy Trojan e-mail message without interacting with its link, your PC should be secure against any Kazy Trojan attacks. If you think you've been infected with Kazy Trojan, cleaning your PC of Kazy Trojan should be your first priority, even if visible symptoms of Kazy Trojan attacks haven't manifested. To do otherwise risks the loss of finances in your bank account, as well as control of your computer itself.

Because Kazy Trojan does interfere with anti-malware programs very actively, SpywareRemove.com malware researchers recommend that you reboot into Safe Mode with Networking (an option that's available on any Windows computer). This will boot Windows without launching unnecessary programs and will allow you to reinstall any missing files. Once this is done, all that's required to remove Kazy Trojan infections from your PC is an earnest and in-depth system scan.

Aliases of Kazy Trojan include (but aren't limited to) Trojan.Win32.Pakes.oya, Trojan.Fakealert.20587, Mal/FakeAV-IK, Generic22.YJ and Win32/Kryptik.MLF.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinSTAT.exe.vir File name: WinSTAT.exe.vir
Size: 1.46 MB (1460224 bytes)
MD5: 3698510016a5878cfe85f9b0ce118de4
Detection count: 2,850
Mime Type: unknown/vir
Path: C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinSTAT.exe.vir
Group: Malware file
Last Updated: May 6, 2022
%APPDATA%\BeckHello\awe.exe File name: awe.exe
Size: 9.72 KB (9728 bytes)
MD5: d5c2f9866269565faa1a7198b773808b
Detection count: 1,412
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\BeckHello
Group: Malware file
Last Updated: March 26, 2016
%ALLUSERSPROFILE%\WinSTAT\WinSTAT.exe File name: WinSTAT.exe
Size: 1.46 MB (1460736 bytes)
MD5: 73f039eed04e494fb1cccff688efeb65
Detection count: 1,321
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\WinSTAT
Group: Malware file
Last Updated: September 29, 2022
%TEMP%\WINDOWS\TEMPARCHIVE\taskeng.exe File name: taskeng.exe
Size: 30.2 KB (30208 bytes)
MD5: 52944262c2ba7f1b50a054c0c1f9a88d
Detection count: 279
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\WINDOWS\TEMPARCHIVE
Group: Malware file
Last Updated: August 27, 2016
msitoexe.setupproject1.msi File name: msitoexe.setupproject1.msi
Size: 9.57 MB (9572352 bytes)
MD5: beed71661af78e2f9c27b5b4d3898484
Detection count: 91
File type: Windows Installer Package
Mime Type: unknown/msi
Group: Malware file
Last Updated: July 20, 2015
%APPDATA%\BeckHello\awe.exe File name: awe.exe
Size: 9.21 KB (9216 bytes)
MD5: 01e98c0d37e9b65607be57236ae15510
Detection count: 80
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\BeckHello
Group: Malware file
Last Updated: March 26, 2016
%ALLUSERSPROFILE%\WinSTAT\WinSTAT.exe File name: WinSTAT.exe
Size: 1.46 MB (1460224 bytes)
MD5: 14225559d047188befe148f6d2c406ec
Detection count: 77
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\WinSTAT
Group: Malware file
Last Updated: March 30, 2016
%LOCALAPPDATA%\isvkjff.dll File name: isvkjff.dll
Size: 84.48 KB (84480 bytes)
MD5: 8f81499f78a86e9ade0a0e4ef0132669
Detection count: 76
File type: Dynamic link library
Mime Type: unknown/dll
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: May 20, 2015
%APPDATA%\Media Player Classic\AdobeFlashPlayerUpdater.exe File name: AdobeFlashPlayerUpdater.exe
Size: 279.04 KB (279040 bytes)
MD5: 77e1d41f0f18305208afa5754919aeff
Detection count: 66
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Media Player Classic
Group: Malware file
Last Updated: March 25, 2016
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemAutorun.exe File name: SystemAutorun.exe
Size: 81.92 KB (81920 bytes)
MD5: a3e6f6161e10d61fbf3974620cf7acd3
Detection count: 64
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 16, 2015
%ALLUSERSPROFILE%\Application Data\LujerOdfum\ZosofAvten.ujf File name: ZosofAvten.ujf
Size: 344.06 KB (344064 bytes)
MD5: bfe92aad1220d8e0a7d620b0248bde7f
Detection count: 61
Mime Type: unknown/ujf
Path: %ALLUSERSPROFILE%\Application Data\LujerOdfum
Group: Malware file
Last Updated: June 3, 2015
%ALLUSERSPROFILE%\WinSTAT\WinSTAT.exe File name: WinSTAT.exe
Size: 1.66 MB (1662976 bytes)
MD5: 4c2047ebf0a3faf2df1e3e17309c387c
Detection count: 56
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\WinSTAT
Group: Malware file
Last Updated: March 30, 2016
%APPDATA%\Sony\AdobeFlashPlayerUpdater.exe File name: AdobeFlashPlayerUpdater.exe
Size: 320.51 KB (320512 bytes)
MD5: 292b71ebb733edf285d1a81fb99af868
Detection count: 55
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Sony
Group: Malware file
Last Updated: March 25, 2016
%ALLUSERSPROFILE%\Teslielro\1.0.1.0\oxaucoau.exe File name: oxaucoau.exe
Size: 158.72 KB (158720 bytes)
MD5: 771ef16b6c1b2c214a2d31d3036dcd34
Detection count: 53
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Teslielro\1.0.1.0
Group: Malware file
Last Updated: May 29, 2015
%APPDATA%\MKKE\AdobeFlashPlayerUpdater.exe File name: AdobeFlashPlayerUpdater.exe
Size: 32.76 KB (32768 bytes)
MD5: 8b013c5ad557b57d50964cd3db57e2d7
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\MKKE
Group: Malware file
Last Updated: March 25, 2016
%APPDATA%\Microsoft\file.exe File name: file.exe
Size: 237.56 KB (237568 bytes)
MD5: c82ed031452e750d3d0470f6326ea0de
Detection count: 24
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft
Group: Malware file
Last Updated: April 25, 2016
%APPDATA%\BeckHello\awe.exe File name: awe.exe
Size: 9.72 KB (9728 bytes)
MD5: 906039608a7d1844eaadfc78d4867106
Detection count: 23
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\BeckHello
Group: Malware file
Last Updated: March 26, 2016
%TEMP%\qlmvjin.exe File name: qlmvjin.exe
Size: 2.09 MB (2098688 bytes)
MD5: 551eb4af1eb2aff43894ab9af4eb758d
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%
Group: Malware file
Last Updated: November 26, 2014
%APPDATA%\ABBYY\AdobeFlashPlayerUpdater.exe File name: AdobeFlashPlayerUpdater.exe
Size: 1.13 MB (1134592 bytes)
MD5: 9c1723f5c08a45a7eeab4567c209cb07
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\ABBYY
Group: Malware file
Last Updated: March 25, 2016
%APPDATA%\Geimkiy\suozo.exe File name: suozo.exe
Size: 281.13 KB (281135 bytes)
MD5: c8961101f0fea0286abdd7eda0148598
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Geimkiy
Group: Malware file
Last Updated: November 27, 2014
%TEMP%\WINDOWS\TEMPARCHIVE\taskeng.exe File name: taskeng.exe
Size: 60.41 KB (60416 bytes)
MD5: 3aa31ccc52e5f05188e5ac84f55fb06f
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\WINDOWS\TEMPARCHIVE
Group: Malware file
Last Updated: August 27, 2016
%WINDIR%\system32\lz32RPIT.exe File name: lz32RPIT.exe
Size: 271.36 KB (271360 bytes)
MD5: 42032f435925eafb543018c8e2d0a8e3
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\system32
Group: Malware file
Last Updated: December 3, 2014
%TEMP%\WINDOWS\SYSTEMFILES\taskeng.exe File name: taskeng.exe
Size: 117.76 KB (117760 bytes)
MD5: 5cf084a4fb499304027eee49f0b56312
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\WINDOWS\SYSTEMFILES
Group: Malware file
Last Updated: August 27, 2016
%APPDATA%\Microsoft\AdobeFlashPlayerUpdater.exe File name: AdobeFlashPlayerUpdater.exe
Size: 320.51 KB (320512 bytes)
MD5: 72a6e20af7ea4b79706cbf1c8f0815ed
Detection count: 4
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft
Group: Malware file
Last Updated: March 25, 2016
C:\ProgramData\44490504.exe File name: C:\ProgramData\44490504.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

More files

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\Microsoft\Windows\Explorer.exe%APPDATA%\msconfig.exe%APPDATA%\wininit.exe%SystemDrive%\RECYCLER\svchost.exe

Related Posts

One Comment

  • Barlow says:

    I closed my account at National City but I'm still getting emails from my online banking account and I would like to close that as well. But i can't figure out how to do it. Think this trojan has something to do with it. Help please!

Loading...