McAfee > Theat Center > Virus Detail Page

Overview

This is a password stealing trojan for online games. The threat is detected as PWS-Gamania.gen trojan with DAT 5344 or newer and was detected as W32/Autorun.worm.bx.gen from DAT 5264 to DAT 5343.

Aliases

• PSW.OnlineGames.AO (GRISoft)

• Trojan Horse (Symantec)

• W32/Lineage.IGF (Panda)

• W32/OnLineGames.fam!tr.pws (Fortinet)

• Worm.Win32.AutoRun.dni (Kaspersky)

• Worm.Win32.Autorun.eja (Rising)

• Worm:Win32/Taterf.gen!C (Microsoft)

• WORM_AUTORUN.BCZ (Trendmicro)

Characteristics

Upon execution, the trojan drops the following files:

• %SystemDir%\amvo.exe 105,128 bytes  (PWS-Gamania.gen.a trojan)
• %SystemDir%\amvo0.dll 70,656 bytes (PWS-Gamania.gen.a trojan)
• %UserProfile%\Local Settings\Temp\7bpapp.dll 27,521 bytes (PWS-Gamania.gen.a trojan)

Note:
%SystemDir% refers to the Windows System folder, e.g. C:\Windows\System32.
%UserProfile% is a variable location and refers to the user's profile folder, e.g.  C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

The trojan modifies the following registry keys:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "amva" =  %SystemDir%\amvo.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  NoDriveTypeAutoRun
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
  CheckedValue
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  Hidden
  ShowSuperHidden

The trojan attempts to steal account information of the following online games:

• MapleStory
• PlayOnline
• World of Warcraft
• Lineage
  

Symptoms

• Presence of the mentioned files/registry keys
• Unexpected termination of running processes
• Unexpected program executation from removable or network drive(s)

Method of Infection

This propagates over removable media and network drives and cause execution of malicious code via an autorun.inf file.

• x:\autorun.inf: 572 bytes (Generic!atr trojan)
• x:\oq.cmd  105,128 bytes  (PWS-Gamania.gen.a trojan)

(Where  X: is  drive letter(s) used by a removable or network drive)

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a password stealing trojan for online games. The threat is detected as PWS-Gamania.gen trojan with DAT 5344 or newer and was detected as W32/Autorun.worm.bx.gen from DAT 5264 to DAT 5343.

Aliases

• PSW.OnlineGames.AO (GRISoft)

• Trojan Horse (Symantec)

• W32/Lineage.IGF (Panda)

• W32/OnLineGames.fam!tr.pws (Fortinet)

• Worm.Win32.AutoRun.dni (Kaspersky)

• Worm.Win32.Autorun.eja (Rising)

• Worm:Win32/Taterf.gen!C (Microsoft)

• WORM_AUTORUN.BCZ (Trendmicro)

Characteristics

Characteristics -

Upon execution, the trojan drops the following files:

• %SystemDir%\amvo.exe 105,128 bytes  (PWS-Gamania.gen.a trojan)
• %SystemDir%\amvo0.dll 70,656 bytes (PWS-Gamania.gen.a trojan)
• %UserProfile%\Local Settings\Temp\7bpapp.dll 27,521 bytes (PWS-Gamania.gen.a trojan)

Note:
%SystemDir% refers to the Windows System folder, e.g. C:\Windows\System32.
%UserProfile% is a variable location and refers to the user's profile folder, e.g.  C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

The trojan modifies the following registry keys:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "amva" =  %SystemDir%\amvo.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  NoDriveTypeAutoRun
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
  CheckedValue
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  Hidden
  ShowSuperHidden

The trojan attempts to steal account information of the following online games:

• MapleStory
• PlayOnline
• World of Warcraft
• Lineage
  

Symptoms

Symptoms -

• Presence of the mentioned files/registry keys
• Unexpected termination of running processes
• Unexpected program executation from removable or network drive(s)

Method of Infection

Method of Infection -

This propagates over removable media and network drives and cause execution of malicious code via an autorun.inf file.

• x:\autorun.inf: 572 bytes (Generic!atr trojan)
• x:\oq.cmd  105,128 bytes  (PWS-Gamania.gen.a trojan)

(Where  X: is  drive letter(s) used by a removable or network drive)

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A