Content

PWS-Gamania

Type
Trojan
SubType
Password Stealer
Discovery Date
09/09/2005
Length
Varies
Minimum DAT
4578 (09/09/2005)
Updated DAT
6546 (11/30/2011)
Minimum Engine
5.2.00
Description Added
09/09/2005
Description Modified
03/19/2010 5:27 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

PWS-Gamania is for a password stealing trojan which attempts to steal user information for certain online games.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Upon execution, the Trojan connects to the site "www.ya[removed]d3.com" using remote port 80".

The Trojan copies itself into the following locations:
  • %temp%\xvassdf.exe
  • %SystemDrive%\q1.exe

The Trojan drops the following files into the system:
  • %temp%\4tddfwq0.dll [ Detected as PWS-OnlineGames.hh]
  • %temp%\ar.exe
  • %SystemDrive%\autorun.inf [Detected as Generic!atr.b]

The following registry key has been added to the system:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN

The following registry values have been added to the system:
  • [HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\MADOWN\]
  • Urlinfo= "nmxsw.k"
  • [HKEY_USERS \S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
  • 54dfsger= "%temp%\xvassdf.exe

The above mentioned registry entry confirms that, the Trojan executes every time when system boots.

The following registry values have been modified:

  • [HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
  • CheckedValue=" 0x00000000"
  • [HKEY_USERS \S-1- (Varies)\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
  • Hidden=" 0x00000002 "

The above mentioned registry entry shows that the Trojan disables the displaying of hidden files and folders:

[Where %Temp% is the Temp Directory, %SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers)]

Symptoms

  • Presence of above mentioned files and registry keys
  • Presence unexpected network connection to the above mentioned site.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Properties
  • MD5: 8395497D0D997270EA8F04E229A36783
  • SHA1: A0BE8AD24345220AA31F71244BA328D1012B3B3C

Aliases
  • Symantec :W32.Gammima.AG
  • Microsoft :Worm:Win32/Taterf.B
  • DrWebCL : Trojan.PWS.Wsgame.13295
  • Avast : Win32:OnLineGames-FQE [Trj]

Characteristics

Characteristics -

PWS-Gamania is for a password stealing trojan which attempts to steal user information for certain online games.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Upon execution, the Trojan connects to the site "www.ya[removed]d3.com" using remote port 80".

The Trojan copies itself into the following locations:
  • %temp%\xvassdf.exe
  • %SystemDrive%\q1.exe

The Trojan drops the following files into the system:
  • %temp%\4tddfwq0.dll [ Detected as PWS-OnlineGames.hh]
  • %temp%\ar.exe
  • %SystemDrive%\autorun.inf [Detected as Generic!atr.b]

The following registry key has been added to the system:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN

The following registry values have been added to the system:
  • [HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\MADOWN\]
  • Urlinfo= "nmxsw.k"
  • [HKEY_USERS \S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
  • 54dfsger= "%temp%\xvassdf.exe

The above mentioned registry entry confirms that, the Trojan executes every time when system boots.

The following registry values have been modified:

  • [HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
  • CheckedValue=" 0x00000000"
  • [HKEY_USERS \S-1- (Varies)\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
  • Hidden=" 0x00000002 "

The above mentioned registry entry shows that the Trojan disables the displaying of hidden files and folders:

[Where %Temp% is the Temp Directory, %SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers)]

Symptoms

Symptoms -

  • Presence of above mentioned files and registry keys
  • Presence unexpected network connection to the above mentioned site.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

    N/A