Kazy Trojan

Posted: October 26, 2011

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	43,495

First Seen:	January 19, 2011
Last Seen:	July 15, 2024
OS(es) Affected:	Windows

Kazy Trojan is a backdoor Trojan that can be configured to cause a range of attacks, but is particularly-known for attacking online bank-related information (thus causing Kazy Trojan to be dubbed a 'banker Trojan' or simply a 'banker'). Although there are many variants of Kazy Trojan that can be spread by different methods, SpywareRemove.com malware researchers have noticed recent e-mail spam attacks that install Kazy Trojan in the form of a fake password generator. This version of Kazy Trojan is also named in a misleading fashion and hides its true file type, and may directly attack anti-malware programs by deleting their files. If you suspect that you've been infected by Kazy Trojan, you should take steps to deactivate Kazy Trojan, such as rebooting in Safe Mode, and then run an appropriately-powerful anti-malware application (while reinstalling any deleted files, if this is necessary). You may also need to change passwords for your bank accounts to prevent criminals from using Kazy Trojan's stolen information to target you with online theft.

Kazy Trojan – a Not-So-Crazy Example of Why You Shouldn't Trust Strange E-mail Messages

Kazy Trojan can be distributed by many methods, including through malicious scripts that are embedded on hostile sites, through misleading advertisements and as part of an installation package for unrelated software. However, the most recent Kazy Trojan attack begins with a simple e-mail message with this subject line: 'Pick a Safe, Strong Password!' This is followed by the message reproduced below:

Kazy Trojan is included in the form of a link to an .exe file, supposedly for this (in fact, nonexistent) password-generating program. Other disguises that Kazy Trojan uses in the process of installing itself include a fake .gif format indicator and the name 'iexplorer.exe' (a slight variant of the Internet Explorer file name 'iexplore.exe'). Major problems that SpywareRemove.com malware experts have traced back to this variant of Kazy Trojan include:

Deletion of important files for anti-malware, anti-virus and anti-spyware programs. Kazy Trojan will delete these files to keep your PC security software non-functional, which makes it difficult to remove Kazy Trojan by appropriate methods.
Web browser hijacks that redirect you to phishing sites. Kazy Trojan is well-known for using phishing scams that present themselves in the form of fake online bank login pages, but you should be able to detect these scams by looking for minor variations in the web address or URL. If you enter your account information into these sites, you'll receive a generic error, and the criminals behind Kazy Trojan will have access to your account. Brazil-based banks are particularly-likely targets of Kazy Trojan phishing attempts.
Other attacks that attempt to violate your computer's security, including changes to your firewall or network settings.
Fake error messages that build up a pretense of your computer being infected with PC threats other than Kazy Trojan.

As a backdoor Trojan, Kazy Trojan can also be configured to cause other attacks that may vary in nature but are always harmful.

Restoring Sanity to Your PC by Packing Up Kazy Trojan

If you practice good Internet safety habits and delete this Kazy Trojan e-mail message without interacting with its link, your PC should be secure against any Kazy Trojan attacks. If you think you've been infected with Kazy Trojan, cleaning your PC of Kazy Trojan should be your first priority, even if visible symptoms of Kazy Trojan attacks haven't manifested. To do otherwise risks the loss of finances in your bank account, as well as control of your computer itself.

Because Kazy Trojan does interfere with anti-malware programs very actively, SpywareRemove.com malware researchers recommend that you reboot into Safe Mode with Networking (an option that's available on any Windows computer). This will boot Windows without launching unnecessary programs and will allow you to reinstall any missing files. Once this is done, all that's required to remove Kazy Trojan infections from your PC is an earnest and in-depth system scan.

Aliases of Kazy Trojan include (but aren't limited to) Trojan.Win32.Pakes.oya, Trojan.Fakealert.20587, Mal/FakeAV-IK, Generic22.YJ and Win32/Kryptik.MLF.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinSTAT.exe.vir

File name: WinSTAT.exe.vir
Size: 1.46 MB (1460224 bytes)
MD5: 3698510016a5878cfe85f9b0ce118de4
Detection count: 2,850
Mime Type: unknown/vir
Path: C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinSTAT.exe.vir
Group: Malware file
Last Updated: May 6, 2022

%APPDATA%\UG\imageScreen\Explorer.exe

File name: Explorer.exe
Size: 86.52 KB (86528 bytes)
MD5: 5439c5392d04eaac51e99715990b48ef
Detection count: 761
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\UG\imageScreen
Group: Malware file
Last Updated: September 10, 2016

%USERPROFILE%\Documents\svchost.exe

File name: svchost.exe
Size: 22.01 KB (22016 bytes)
MD5: 60307d18d495127316e7fa586eef7ace
Detection count: 696
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Documents
Group: Malware file
Last Updated: August 9, 2016

%APPDATA%\Adobe\uPlus.exe

File name: uPlus.exe
Size: 24.57 KB (24576 bytes)
MD5: d7af7474417d821f20c24b9eeb3a77b7
Detection count: 204
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Adobe
Group: Malware file
Last Updated: June 16, 2016

msitoexe.setupproject1.msi

File name: msitoexe.setupproject1.msi
Size: 9.57 MB (9572352 bytes)
MD5: beed71661af78e2f9c27b5b4d3898484
Detection count: 91
File type: Windows Installer Package
Mime Type: unknown/msi
Group: Malware file
Last Updated: July 20, 2015

%ALLUSERSPROFILE%\WinSTAT\WinSTAT.exe

File name: WinSTAT.exe
Size: 1.46 MB (1460224 bytes)
MD5: 14225559d047188befe148f6d2c406ec
Detection count: 77
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\WinSTAT
Group: Malware file
Last Updated: March 30, 2016

%LOCALAPPDATA%\isvkjff.dll

File name: isvkjff.dll
Size: 84.48 KB (84480 bytes)
MD5: 8f81499f78a86e9ade0a0e4ef0132669
Detection count: 76
File type: Dynamic link library
Mime Type: unknown/dll
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: May 20, 2015

%TEMP%\dvt792nb.cpp

File name: dvt792nb.cpp
Size: 150.52 KB (150528 bytes)
MD5: fe198d3c3be104744d80950cd3e620c0
Detection count: 65
Mime Type: unknown/cpp
Path: %TEMP%
Group: Malware file
Last Updated: February 17, 2014

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemAutorun.exe

File name: SystemAutorun.exe
Size: 81.92 KB (81920 bytes)
MD5: a3e6f6161e10d61fbf3974620cf7acd3
Detection count: 64
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 16, 2015

%ALLUSERSPROFILE%\Application Data\LujerOdfum\ZosofAvten.ujf

File name: ZosofAvten.ujf
Size: 344.06 KB (344064 bytes)
MD5: bfe92aad1220d8e0a7d620b0248bde7f
Detection count: 61
Mime Type: unknown/ujf
Path: %ALLUSERSPROFILE%\Application Data\LujerOdfum
Group: Malware file
Last Updated: June 3, 2015

%ALLUSERSPROFILE%\Teslielro\1.0.1.0\oxaucoau.exe

File name: oxaucoau.exe
Size: 158.72 KB (158720 bytes)
MD5: 771ef16b6c1b2c214a2d31d3036dcd34
Detection count: 53
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Teslielro\1.0.1.0
Group: Malware file
Last Updated: May 29, 2015

%APPDATA%\Microsoft\file.exe

File name: file.exe
Size: 237.56 KB (237568 bytes)
MD5: c82ed031452e750d3d0470f6326ea0de
Detection count: 24
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft
Group: Malware file
Last Updated: April 25, 2016

%APPDATA%\BeckHello\awe.exe

File name: awe.exe
Size: 9.72 KB (9728 bytes)
MD5: 906039608a7d1844eaadfc78d4867106
Detection count: 23
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\BeckHello
Group: Malware file
Last Updated: March 26, 2016

%LOCALAPPDATA%\Ahbworks\CNBJOP7b.dll

File name: CNBJOP7b.dll
Size: 59.9 KB (59904 bytes)
MD5: ea9825d68463051ad51026b128281bf9
Detection count: 14
File type: Dynamic link library
Mime Type: unknown/dll
Path: %LOCALAPPDATA%\Ahbworks
Group: Malware file
Last Updated: April 24, 2014

%TEMP%\qlmvjin.exe

File name: qlmvjin.exe
Size: 2.09 MB (2098688 bytes)
MD5: 551eb4af1eb2aff43894ab9af4eb758d
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%
Group: Malware file
Last Updated: November 26, 2014

%APPDATA%\Geimkiy\suozo.exe

File name: suozo.exe
Size: 281.13 KB (281135 bytes)
MD5: c8961101f0fea0286abdd7eda0148598
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Geimkiy
Group: Malware file
Last Updated: November 27, 2014

%TEMP%\WINDOWS\TEMPARCHIVE\taskeng.exe

File name: taskeng.exe
Size: 60.41 KB (60416 bytes)
MD5: 3aa31ccc52e5f05188e5ac84f55fb06f
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\WINDOWS\TEMPARCHIVE
Group: Malware file
Last Updated: August 27, 2016

%APPDATA%\WinUpdtr\Doctor Doctor Who DVDRipS Seasons 2.exe

File name: Doctor Doctor Who DVDRipS Seasons 2.exe
Size: 49.15 KB (49152 bytes)
MD5: 933845ea3fd0eb2b27ca610ea4931b45
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\WinUpdtr
Group: Malware file
Last Updated: December 1, 2014

%WINDIR%\system32\lz32RPIT.exe

File name: lz32RPIT.exe
Size: 271.36 KB (271360 bytes)
MD5: 42032f435925eafb543018c8e2d0a8e3
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\system32
Group: Malware file
Last Updated: December 3, 2014

%APPDATA%\Microsoft\AdobeFlashPlayerUpdater.exe

File name: AdobeFlashPlayerUpdater.exe
Size: 320.51 KB (320512 bytes)
MD5: 72a6e20af7ea4b79706cbf1c8f0815ed
Detection count: 4
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft
Group: Malware file
Last Updated: March 25, 2016

C:\ProgramData\44490504.exe

File name: C:\ProgramData\44490504.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

More files

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\Microsoft\Windows\Explorer.exe%APPDATA%\msconfig.exe%APPDATA%\wininit.exe%SystemDrive%\RECYCLER\svchost.exe

One Comment

Barlow says:

November 18, 2011 at 7:50 pm

I closed my account at National City but I'm still getting emails from my online banking account and I would like to close that as well. But i can't figure out how to do it. Think this trojan has something to do with it. Help please!