McAfee > Theat Center > Virus Detail Page

Overview

Trojan that spreads manually under beneficial prospects, involves security and system exploitation executing unknown programs.
Transfers by a lot so means from peer networking to email etc. No own spreading routine

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Aliases

• • F-Secure: Trojan-GameThief.Win32.Magania.aozb

• Kaspersky: Trojan-GameThief.Win32.Magania.aozb

Characteristics

The following files are created:
– %SYSDIR%\drivers\klif.sys (Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Onlinegames2)
– %SYSDIR%\tavo0.dll (Further investigation pointed out that this file is malware, too. Detected as: TR/DLL.Onlinegames.B )

It tries to download some files:
– The location is the following: 
   • http://adeui.com/**********/ff.exe

It is saved on the local hard drive under: %TEMPDIR%\ff.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP

– The location is the following: 
   • http://adeui.com/**********/cc.exe

It is saved on the local hard drive under: %TEMPDIR%\cc.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP

Registry The following registry key is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 
   • tava="%SYSDIR%\tavo.exe"

In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

File details Programming language:
The malware program was written in MS Visual C++.

Symptoms

    Downloads malicious files

    Writes executable in the windows folder

    Drops malicious files

    Registry modification

    Enumerates running processes

    It deletes the initially executed copy of itself.

    In order to aggravate detection and reduce size of the file it is packed with a runtime packer .

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

Trojan that spreads manually under beneficial prospects, involves security and system exploitation executing unknown programs.
Transfers by a lot so means from peer networking to email etc. No own spreading routine

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Aliases

• • F-Secure: Trojan-GameThief.Win32.Magania.aozb

• Kaspersky: Trojan-GameThief.Win32.Magania.aozb

Characteristics

Characteristics -

The following files are created:
– %SYSDIR%\drivers\klif.sys (Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Onlinegames2)
– %SYSDIR%\tavo0.dll (Further investigation pointed out that this file is malware, too. Detected as: TR/DLL.Onlinegames.B )

It tries to download some files:
– The location is the following: 
   • http://adeui.com/**********/ff.exe

It is saved on the local hard drive under: %TEMPDIR%\ff.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP

– The location is the following: 
   • http://adeui.com/**********/cc.exe

It is saved on the local hard drive under: %TEMPDIR%\cc.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP

Registry The following registry key is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 
   • tava="%SYSDIR%\tavo.exe"

In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

File details Programming language:
The malware program was written in MS Visual C++.

Symptoms

Symptoms -

    Downloads malicious files

    Writes executable in the windows folder

    Drops malicious files

    Registry modification

    Enumerates running processes

    It deletes the initially executed copy of itself.

    In order to aggravate detection and reduce size of the file it is packed with a runtime packer .

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A