Content
Generic PWS.ak
- Type
- Trojan
- SubType
- Password Stealer
- Discovery Date
- 11/04/2008
- Length
- VARIES
- Minimum DAT
- 5424 (11/04/2008)
- Updated DAT
- 6519 (11/03/2011)
- Minimum Engine
- 5.3.00
- Description Added
- 11/04/2008
- Description Modified
- 09/02/2010 8:19 AM (PT)
Tab Navigation
Characteristics
----Updated September 02, 2010 -------------------
File Information
- MD5 - C730AAEF9F6C8AB012FC51F066DB25B4
- SHA - 11D4F28604211641818AB5A6E8A377A8515FCC59
Aliases
-
Kaspersky - Trojan-GameThief.Win32.Magania.cgsz
-
NOD32 - a variant of Win32/Pacex.Gen
-
Ikarus - Worm.Win32.Taterf
-
Microsoft - Worm:Win32/Taterf.B
Generic Pws.ak is a Trojan that steals online game accounts and passwords by monitoring the system.
Upon execution, the Trojan copies itself into the following location.
- %Windir%\system32\olhrwef.exe [Hidden] [Detected as Generic PWS.ak]
- %SystemDrive%\m1rqygb.exe [Hidden] [Detected as Generic PWS.ak]
And drops the following files.
- %Windir%\system32\nmdfgds0.dll [Detected as Generic PWS.ak]
- %Windir%\system32\nmdfgds1.dll [Detected as Generic PWS.ak]
This trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:
- %SystemDrive%\autorun.inf [Hidden]
The autorun.inf is configured to launch the trojan file via the following command syntax.
- [AutoRun]
- open=m1rqygb.exe
- shell\open\Command=m1rqygb.exe
The following registry key has been added to the system.
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys
The following registry value has been added.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
“Type” = 0x00000001” - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
“Start” = 0x00000003” - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
“ErrorControl” = “0x00000001” - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
“ImagePath” = "\??\C:\WINDOWS\system32\drivers\cdaudio.sys" - “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
“DisplayName” = "AVPsys"
The below mentioned registry ensures that, the malware binary registers itself with the compromised system and execute itself upon every boot.
- [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
“cdoosoft” = " %Windir%\system32\olhrwef.exe"
The following registry values have been modified.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
“CheckedValue” = “0x00000000” - [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
“Hidden” = “0x00000002”
The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.
[Where %WinDir% is the Windows Directory - for example C:\Windows and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]
---------------------------------------------------
%SYSDIR%\tavo.exe (saves in this location)
The following files are created:
– %SYSDIR%\drivers\klif.sys (Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Onlinegames2)
– %SYSDIR%\tavo0.dll (Further investigation pointed out that this file is malware, too. Detected as: TR/DLL.Onlinegames.B )
It tries to download some files:
– The location is the following:
• http://adeui.com/**********/ff.exe
It is saved on the local hard drive under: %TEMPDIR%\ff.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP
– The location is the following:
• http://adeui.com/**********/cc.exe
It is saved on the local hard drive under: %TEMPDIR%\cc.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP
Registry The following registry key is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• tava="%SYSDIR%\tavo.exe"
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
File details Programming language:
The malware program was written in MS Visual C++.
Symptoms
Downloads malicious files
Writes executable in the windows folder
Drops malicious files
Registry modification
Enumerates running processes
It deletes the initially executed copy of itself.
In order to aggravate detection and reduce size of the file it is packed with a runtime packer .
Method of Infection
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
Trojan that spreads manually under beneficial prospects, involves security and system exploitation executing unknown programs.
Transfers by a lot so means from peer networking to email etc. No own spreading routine
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Aliases
- • F-Secure: Trojan-GameThief.Win32.Magania.aozb
- Kaspersky: Trojan-GameThief.Win32.Magania.aozb
Characteristics
Characteristics -
----Updated September 02, 2010 -------------------
File Information
- MD5 - C730AAEF9F6C8AB012FC51F066DB25B4
- SHA - 11D4F28604211641818AB5A6E8A377A8515FCC59
Aliases
-
Kaspersky - Trojan-GameThief.Win32.Magania.cgsz
-
NOD32 - a variant of Win32/Pacex.Gen
-
Ikarus - Worm.Win32.Taterf
-
Microsoft - Worm:Win32/Taterf.B
Generic Pws.ak is a Trojan that steals online game accounts and passwords by monitoring the system.
Upon execution, the Trojan copies itself into the following location.
- %Windir%\system32\olhrwef.exe [Hidden] [Detected as Generic PWS.ak]
- %SystemDrive%\m1rqygb.exe [Hidden] [Detected as Generic PWS.ak]
And drops the following files.
- %Windir%\system32\nmdfgds0.dll [Detected as Generic PWS.ak]
- %Windir%\system32\nmdfgds1.dll [Detected as Generic PWS.ak]
This trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:
- %SystemDrive%\autorun.inf [Hidden]
The autorun.inf is configured to launch the trojan file via the following command syntax.
- [AutoRun]
- open=m1rqygb.exe
- shell\open\Command=m1rqygb.exe
The following registry key has been added to the system.
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys
The following registry value has been added.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
“Type” = 0x00000001” - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
“Start” = 0x00000003” - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
“ErrorControl” = “0x00000001” - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
“ImagePath” = "\??\C:\WINDOWS\system32\drivers\cdaudio.sys" - “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
“DisplayName” = "AVPsys"
The below mentioned registry ensures that, the malware binary registers itself with the compromised system and execute itself upon every boot.
- [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
“cdoosoft” = " %Windir%\system32\olhrwef.exe"
The following registry values have been modified.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
“CheckedValue” = “0x00000000” - [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
“Hidden” = “0x00000002”
The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.
[Where %WinDir% is the Windows Directory - for example C:\Windows and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]
---------------------------------------------------
%SYSDIR%\tavo.exe (saves in this location)
The following files are created:
– %SYSDIR%\drivers\klif.sys (Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Onlinegames2)
– %SYSDIR%\tavo0.dll (Further investigation pointed out that this file is malware, too. Detected as: TR/DLL.Onlinegames.B )
It tries to download some files:
– The location is the following:
• http://adeui.com/**********/ff.exe
It is saved on the local hard drive under: %TEMPDIR%\ff.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP
– The location is the following:
• http://adeui.com/**********/cc.exe
It is saved on the local hard drive under: %TEMPDIR%\cc.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP
Registry The following registry key is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• tava="%SYSDIR%\tavo.exe"
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
File details Programming language:
The malware program was written in MS Visual C++.
Symptoms
Symptoms -
Downloads malicious files
Writes executable in the windows folder
Drops malicious files
Registry modification
Enumerates running processes
It deletes the initially executed copy of itself.
In order to aggravate detection and reduce size of the file it is packed with a runtime packer .
Method of Infection
Method of Infection -
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants -
N/A