English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Follow us on

Home→Descriptions→Trojan-GameThief.Win32.Nilage.a

Trojan-GameThief.Win32.Nilage.a

Detected	Aug 31 2007 13:04 GMT
Released	Jun 26 2008 22:56 GMT
Published	Aug 31 2007 13:04 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan is one of a family of Trojans which steals user passwords. It is a Windows PE EXE file. It is 52 925 bytes in size. It is packed using FSG.

Installation

When launched, the Trojan copies its executable file to the following directory:

%Program Files%\rundll32.exe

The Trojan also extracts the following .dll file from its body:

%System%\ct1dll.dll. - this file is 42 496 bytes in size.

In order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"loadMect1" = "<path to Trojan executable file> "

Payload

The Trojan sends notification that the victim machine had been infected to the following email address:

**@webshell.cn

The Trojan tracks keystrokes in windows titled "Lineage Windows Client". It harvest the user name and password to Lineage accounts.

Harvested data is saved to the following log file:

c:\gamect1.txt

The log will periodically be sent to the remote malicious user by email.

The Trojan also terminates the following processes:

KVMONXP.KXP
KVXP.KXP
EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
IPARMOR.EXE
RavMon.exe
PasswordGuard.exe

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the Trojan process.
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).
```
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"loadMect1" = "<path to Trojan executable file> "
```

Delete the following files:

%Program Files%\rundll32.exe
%System32%\ct1dll.dll

Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Print

Share

Malicious programs

Trojans

Trojan-GameThief

This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.

Other versions

Trojan-GameThief.Win32.Nilage.by

Trojan-GameThief.Win32.Nilage.ha

Trojan-GameThief.Win32.Nilage.ipj

Aliases

Trojan-GameThief.Win32.Nilage.a (Kaspersky Lab) is also known as:

Trojan-PSW.Win32.Nilage.a (Kaspersky Lab)
Trojan-PSW.Win32.Lineage.a (Kaspersky Lab)
Trojan.PSW.Lineage.a (Kaspersky Lab)
Trojan: PWS-LegMir.dll (McAfee)
Mal/GamePSW-I (Sophos)
Trojan.Delf-1218 (ClamAV)
Trojan Horse (Panda)
W32/OnlineGames.B.gen!Eldorado (FPROT)
PWS:Win32/Lineage (MS(OneCare))
Trojan.PWS.Lineage.3234 (DrWeb)
Win32/PSW.Lineage.A trojan (Nod32)
DeepScan:Generic.Lineage.7E1D836C (BitDef7)
Trojan.PWS.Nilage.Gen.3 (VirusBuster)
Win32:Hewo (AVAST)
Trojan-Dropper.Delf (Ikarus)
PSW.OnlineGames3.WJP (AVG)
TR/PSW.Nilage.A.2 (AVIRA)
Infostealer.Lineage (NAV)
W32/Lineage.BDPP (Norman)
Trojan-GameThief.Win32.Nilage.a [AVP] (FSecure)
TSPY_LINEAGE.GEN (TrendMicro)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

securelist.com