Content

Generic PWS.ak

Type
Trojan
SubType
Password Stealer
Discovery Date
11/04/2008
Length
varies
Minimum DAT
5424 (11/04/2008)
Updated DAT
6573 (12/28/2011)
Minimum Engine
5.3.00
Description Added
11/04/2008
Description Modified
11/14/2011 8:03 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

----   Updated November 14, 2011 -------------------

Aliases –

    • Kaspersky - Trojan-GameThief.Win32.Magania.ebol
    • Microsoft - Worm:Win32/Taterf.D
    • NOD32 - a variant of Win32/PSW.OnLineGames.PPS
    • Symantec - W32.Gammima.AG

"Generic PWS.ak" is the detection for malware that logs user account details for certain online games.

Upon execution, the Trojan copies itself into the following locations and connects to the site "163[removed].com" through remote port 80 to download other malicious files.
    • %Temp%\rbking.exe [Hidden]
    • %SystemDrive%\skg1.exe [Hidden]

And it drops the following files.
    • %Temp%\rbking0.dll [Hidden]

This Trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:

    • %SystemDrive%\autorun.inf [Hidden]

All the above files are set with the "hidden", "read-only", and "system" attributes

The autorun.inf is configured to launch the Trojan file via the following command syntax.

    • [AutoRun]
    • open=skg1.exe
    • shell\open\Command=skg1.exe

The following registry values have been added
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
      king_rb = "%Temp%\rbking.exe"

The above registry entry confirms that, the Trojan executes every time when windows starts

The following registry values have been modified
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
      CheckedValue = 0x00000000
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
      Hidden = 0x00000002
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
      ShowSuperHidden = 0x00000000

The above mentioned registry entries confirms that, the Trojan prevents the compromised user to view the hidden files and folders in the system.

The Trojan tries to look for the following processes. If found, it tries to delete or rename it.

    • Nod32Kui.exe
    • FilMsg.exe
    • Twister.exesss
    • RavMon.exe

[Note: %SystemDrive% - C:\, %Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp]

-------

----   Updated September 02, 2010 -------------------

 File Information

    • MD5  -  C730AAEF9F6C8AB012FC51F066DB25B4
    • SHA  - 11D4F28604211641818AB5A6E8A377A8515FCC59

Aliases

    • Kaspersky   - Trojan-GameThief.Win32.Magania.cgsz
    • NOD32      - a variant of Win32/Pacex.Gen
    • Ikarus         - Worm.Win32.Taterf
    • Microsoft   - Worm:Win32/Taterf.B

Generic Pws.ak is a Trojan that steals online game accounts and passwords by monitoring the system.

Upon execution, the Trojan copies itself into the following location.

    • %Windir%\system32\olhrwef.exe [Hidden] [Detected as Generic PWS.ak]
    • %SystemDrive%\m1rqygb.exe [Hidden] [Detected as Generic PWS.ak]

And drops the following files.

    • %Windir%\system32\nmdfgds0.dll [Detected as Generic PWS.ak]
    • %Windir%\system32\nmdfgds1.dll [Detected as Generic PWS.ak]

This trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:

    • %SystemDrive%\autorun.inf [Hidden]

The autorun.inf is configured to launch the trojan file via the following command syntax.

    • [AutoRun]
    • open=m1rqygb.exe
    • shell\open\Command=m1rqygb.exe

The following registry key has been added to the system.

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys

The following registry value has been added.

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
      “Type” = 0x00000001”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
      “Start” = 0x00000003”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
      “ErrorControl” = “0x00000001”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
      “ImagePath” = "\??\C:\WINDOWS\system32\drivers\cdaudio.sys"
    • “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
      “DisplayName” = "AVPsys"

The below mentioned registry ensures that, the malware binary registers itself with the compromised system and execute itself upon every boot.

    • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
      “cdoosoft” = " %Windir%\system32\olhrwef.exe"

The following registry values have been modified.

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
      “CheckedValue” = “0x00000000”
    • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
      “Hidden” = “0x00000002”

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

[Where %WinDir% is the Windows Directory - for example C:\Windows and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

---------------------------------------------------

%SYSDIR%\tavo.exe (saves in this location)

The following files are created:
– %SYSDIR%\drivers\klif.sys (Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Onlinegames2)
– %SYSDIR%\tavo0.dll (Further investigation pointed out that this file is malware, too. Detected as: TR/DLL.Onlinegames.B )

It tries to download some files:
– The location is the following: 
   http://adeui.com/**********/ff.exe

It is saved on the local hard drive under: %TEMPDIR%\ff.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP

– The location is the following: 
   http://adeui.com/**********/cc.exe

It is saved on the local hard drive under: %TEMPDIR%\cc.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP

Registry The following registry key is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 
   • tava="%SYSDIR%\tavo.exe"

In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

File details Programming language:
The malware program was written in MS Visual C++.

Symptoms

    Downloads malicious files

    Writes executable in the windows folder

    Drops malicious files

    Registry modification

    Enumerates running processes

    It deletes the initially executed copy of itself.

    In order to aggravate detection and reduce size of the file it is packed with a runtime packer .

 

 

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

    N/A

All Information

Overview -

Trojan that spreads manually under beneficial prospects, involves security and system exploitation executing unknown programs.
Transfers by a lot so means from peer networking to email etc. No own spreading routine

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Aliases

  • • F-Secure: Trojan-GameThief.Win32.Magania.aozb
  • Kaspersky: Trojan-GameThief.Win32.Magania.aozb

Characteristics

Characteristics -

----   Updated November 14, 2011 -------------------

Aliases –

    • Kaspersky - Trojan-GameThief.Win32.Magania.ebol
    • Microsoft - Worm:Win32/Taterf.D
    • NOD32 - a variant of Win32/PSW.OnLineGames.PPS
    • Symantec - W32.Gammima.AG

"Generic PWS.ak" is the detection for malware that logs user account details for certain online games.

Upon execution, the Trojan copies itself into the following locations and connects to the site "163[removed].com" through remote port 80 to download other malicious files.
    • %Temp%\rbking.exe [Hidden]
    • %SystemDrive%\skg1.exe [Hidden]

And it drops the following files.
    • %Temp%\rbking0.dll [Hidden]

This Trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:

    • %SystemDrive%\autorun.inf [Hidden]

All the above files are set with the "hidden", "read-only", and "system" attributes

The autorun.inf is configured to launch the Trojan file via the following command syntax.

    • [AutoRun]
    • open=skg1.exe
    • shell\open\Command=skg1.exe

The following registry values have been added
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
      king_rb = "%Temp%\rbking.exe"

The above registry entry confirms that, the Trojan executes every time when windows starts

The following registry values have been modified
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
      CheckedValue = 0x00000000
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
      Hidden = 0x00000002
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
      ShowSuperHidden = 0x00000000

The above mentioned registry entries confirms that, the Trojan prevents the compromised user to view the hidden files and folders in the system.

The Trojan tries to look for the following processes. If found, it tries to delete or rename it.

    • Nod32Kui.exe
    • FilMsg.exe
    • Twister.exesss
    • RavMon.exe

[Note: %SystemDrive% - C:\, %Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp]

-------

----   Updated September 02, 2010 -------------------

 File Information

    • MD5  -  C730AAEF9F6C8AB012FC51F066DB25B4
    • SHA  - 11D4F28604211641818AB5A6E8A377A8515FCC59

Aliases

    • Kaspersky   - Trojan-GameThief.Win32.Magania.cgsz
    • NOD32      - a variant of Win32/Pacex.Gen
    • Ikarus         - Worm.Win32.Taterf
    • Microsoft   - Worm:Win32/Taterf.B

Generic Pws.ak is a Trojan that steals online game accounts and passwords by monitoring the system.

Upon execution, the Trojan copies itself into the following location.

    • %Windir%\system32\olhrwef.exe [Hidden] [Detected as Generic PWS.ak]
    • %SystemDrive%\m1rqygb.exe [Hidden] [Detected as Generic PWS.ak]

And drops the following files.

    • %Windir%\system32\nmdfgds0.dll [Detected as Generic PWS.ak]
    • %Windir%\system32\nmdfgds1.dll [Detected as Generic PWS.ak]

This trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:

    • %SystemDrive%\autorun.inf [Hidden]

The autorun.inf is configured to launch the trojan file via the following command syntax.

    • [AutoRun]
    • open=m1rqygb.exe
    • shell\open\Command=m1rqygb.exe

The following registry key has been added to the system.

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys

The following registry value has been added.

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
      “Type” = 0x00000001”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
      “Start” = 0x00000003”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
      “ErrorControl” = “0x00000001”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
      “ImagePath” = "\??\C:\WINDOWS\system32\drivers\cdaudio.sys"
    • “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\]
      “DisplayName” = "AVPsys"

The below mentioned registry ensures that, the malware binary registers itself with the compromised system and execute itself upon every boot.

    • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
      “cdoosoft” = " %Windir%\system32\olhrwef.exe"

The following registry values have been modified.

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
      “CheckedValue” = “0x00000000”
    • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
      “Hidden” = “0x00000002”

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

[Where %WinDir% is the Windows Directory - for example C:\Windows and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

---------------------------------------------------

%SYSDIR%\tavo.exe (saves in this location)

The following files are created:
– %SYSDIR%\drivers\klif.sys (Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Onlinegames2)
– %SYSDIR%\tavo0.dll (Further investigation pointed out that this file is malware, too. Detected as: TR/DLL.Onlinegames.B )

It tries to download some files:
– The location is the following: 
   http://adeui.com/**********/ff.exe

It is saved on the local hard drive under: %TEMPDIR%\ff.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP

– The location is the following: 
   http://adeui.com/**********/cc.exe

It is saved on the local hard drive under: %TEMPDIR%\cc.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP

Registry The following registry key is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 
   • tava="%SYSDIR%\tavo.exe"

In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

File details Programming language:
The malware program was written in MS Visual C++.

Symptoms

Symptoms -

    Downloads malicious files

    Writes executable in the windows folder

    Drops malicious files

    Registry modification

    Enumerates running processes

    It deletes the initially executed copy of itself.

    In order to aggravate detection and reduce size of the file it is packed with a runtime packer .

 

 

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

    N/A