McAfee > Theat Center > Virus Detail Page

Overview

This description is for a password stealing trojan which attempts to steal user information for certain online games.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Trojan-GameThief.Win32.Magania.bdlp [Kaspersky Lab

• W32.Gammima.AG [Symantec]

• Worm:Win32/Taterf.B [Microsoft]

Characteristics

The trojan attempts to start itself via the registry with entry:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Security

Newly created Registry Values are:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "54dfsger"
Data: C:\WINDOWS\system32\xvassdf.exe

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys
"ImagePath"=: \??\C:\WINDOWS\system32\drivers\cdaudio.sys
“Start"
"Type"
“ErrorControl"
“DisplayName" = AVPsys

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys\Enum
"Count"
"INITSTARTFAILED"
"NextInstance"

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys\Security "Security"
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

The trojan attempts to hide files and folders by modifying the following registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

Symptoms

• Presence of files and registry entries mentioned earlier
• Software based firewall, if any installed on the machine, might alert about an unknown program attempting to connect to the internet

Method of Infection

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This description is for a password stealing trojan which attempts to steal user information for certain online games.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Trojan-GameThief.Win32.Magania.bdlp [Kaspersky Lab

• W32.Gammima.AG [Symantec]

• Worm:Win32/Taterf.B [Microsoft]

Characteristics

Characteristics -

The trojan attempts to start itself via the registry with entry:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Security

Newly created Registry Values are:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "54dfsger"
Data: C:\WINDOWS\system32\xvassdf.exe

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys
"ImagePath"=: \??\C:\WINDOWS\system32\drivers\cdaudio.sys
“Start"
"Type"
“ErrorControl"
“DisplayName" = AVPsys

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys\Enum
"Count"
"INITSTARTFAILED"
"NextInstance"

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys\Security "Security"
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

The trojan attempts to hide files and folders by modifying the following registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

Symptoms

Symptoms -

• Presence of files and registry entries mentioned earlier
• Software based firewall, if any installed on the machine, might alert about an unknown program attempting to connect to the internet

Method of Infection

Method of Infection -

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A