A remote access Trojan family dubbed Aveo, that targets primarily Japanese speaking users has been reported by malware researchers to cause infections on a massive scale. This type of Trojans is particularly dangerous since it can gain complete remote control of the computers it infects and steal information from them, spy on the user, steal files, install other malware and even crash the operating system of the computer. To learn how to be able to remove Aveo remote access Trojan and protect yourself and your data from it, we advise you to read this article thoroughly.
|Short Description||The Aveo trojan family drops multiple files and gains Read and Write permissions over Windows computers and sends information to a remote C&C server.|
|Distribution Method||Via a malicious file disguised as a Microsoft Excel document.|
|Detection Tool|| See If Your System Has Been Affected by Aveo |
Malware Removal Tool
|User Experience||Join our forum to Discuss Aveo Trojan.|
How is Aveo Trojan Spread?
To be widespread, Aveo uses a payload carrying .exe file that has the Microsoft Excel icon and resembles a legitimate document. This file may be sent out to users via e-mail networks as well as on social media messages and even uploaded on file-sharing networks. Cyber-criminals may even pay for spam-bots that may redistribute it’s drive by download via malicious web links spammed as a referral spam on various websites to reach more and more potential victims.
Aveo Trojan – Technical Information
Palo Alto researchers have established that as soon as it has been executed, the Aveo trojan drops several different files on the victim computer in the %Program Files% folder:
- Ram.exe – the malware itself.
- Cave workshop participants.xls – a decoy file that is opened with Excel to not raise any suspicion of infection.
- Mshelp32.exe – a script.
- Stting32.ini – used by the cleanup script.
The Aveo Trojan is also reported to connect remotely to a domain to which it communicates:
The domain is reported by researchers to have associations with an e-mail address, named [email protected] This e-mail address or the domain itself may be associated with the following IP addresses:
The addresses themselves are believed to be hosted in the US, and there were more domains that were associated with this contact information:
After infection, the Aveo malware will also send this information to it’s server:
- Unique hash identifier.
- IP Address.
- OS version.
- Ansi identification code.
The Aveo ransomware may also modify the Windows Registry Editor, more specifically insert values in the following key:
In addition to this, the virus also can:
- Insert commands in the Windows shell.
- Get file information.
- Read and Write permissions.
- Drive information.
- Execute DIR commands for certain paths.
Aveo RAT – Conclusion, Removal, and Protection
As a bottom line, this Trojan family has been created by someone who knew what they were doing, and the purpose of why they were created is not clear yet. One scenario may be massive online information theft campaign, which may be done either for profit or political agendas. Whatever the case may be, Aveo RAT has no place on your computer, and it’s removal is strongly advisable. For maximum effectiveness and permanent removal of the Aveo RAT, we advise you to follow carefully the step-by-step instructions, outlined in this article. They are carefully designed so that they help you remove Aveo properly and stay protected in the future as well.