Content

PWS-Gamania.gen.a!F8BE85E7

Type
Trojan
SubType
Password
Discovery Date
09/18/2008
Length
99181
Minimum DAT
5386 (09/17/2008)
Updated DAT
5386 (09/17/2008)
Minimum Engine
5.3.00
Description Added
09/18/2008
Description Modified
09/18/2008 1:01 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File PropertyProperty Value
FileNamed1b372~1.exe
McAfee DetectionPWS-Gamania.gen.a
Length99,181 bytes
CRCF8BE85E7
MD5DB6FDC8C912EC6088544BA588D0B0285
SHA1B875164B61323BF67B360638CEC9E7AE02DA4BBD

Other Common Detection Aliases

Company NameDetection Name
avastWin32:Rootkit-gen
AVG (GriSoft)PSW.OnlineGames.2.S
AviraTR/Crypt.XPACK.Gen
BitDefenderPacker.Malware.NSAnti.1
KasperskyWorm.Win32.AutoRun.nns
microsoftpws:win32/frethog.aj
normanw32/viking.gen5
pandaGeneric
SophosSus/UnkPacker
SymantecInfostealer.Gampass
vba32Trojan-GameThief.Win32.Magania.aayp

Avert® Labs has observed the following system activities:

ActivityRisk Level
Enumerates running processes
Medium
Writes executable in the windows folder
Low

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\system32\drivers\klif.sys

    • The following registry elements have been created:

  • hkey_local_machine\system\currentcontrolset\services\kavsys\
    • errorcontrol = 1
    • imagepath = \??\c:\windows\system32\drivers\klif.sys
    • start = 1
    • type = 1

    • Symptoms

    This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

    Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

    Removal

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

    Characteristics

    Characteristics -

    File PropertyProperty Value
    FileNamed1b372~1.exe
    McAfee DetectionPWS-Gamania.gen.a
    Length99,181 bytes
    CRCF8BE85E7
    MD5DB6FDC8C912EC6088544BA588D0B0285
    SHA1B875164B61323BF67B360638CEC9E7AE02DA4BBD

    Other Common Detection Aliases

    Company NameDetection Name
    avastWin32:Rootkit-gen
    AVG (GriSoft)PSW.OnlineGames.2.S
    AviraTR/Crypt.XPACK.Gen
    BitDefenderPacker.Malware.NSAnti.1
    KasperskyWorm.Win32.AutoRun.nns
    microsoftpws:win32/frethog.aj
    normanw32/viking.gen5
    pandaGeneric
    SophosSus/UnkPacker
    SymantecInfostealer.Gampass
    vba32Trojan-GameThief.Win32.Magania.aayp

    Avert® Labs has observed the following system activities:

    ActivityRisk Level
    Enumerates running processes
    		Medium
    Writes executable in the windows folder
    		Low

    System Changes

    These are general defaults for typical path variables. (Although they may differ, these examples are common.):
    %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
    %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
    %ProgramFiles% = \Program Files

    The following files have been added to the system:

  • %WINDIR%\system32\drivers\klif.sys

    • The following registry elements have been created:

  • hkey_local_machine\system\currentcontrolset\services\kavsys\
    • errorcontrol = 1
    • imagepath = \??\c:\windows\system32\drivers\klif.sys
    • start = 1
    • type = 1

    • Symptoms

    Symptoms -

    This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

    Method of Infection

    Method of Infection -

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

    Removal -

    Removal -

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A