Trojan-GameThief.Win32.OnLineGames.lfi

Technical Details

This malicious program is a Trojan. It is a Windows PE EXE file. It is 123873 bytes in size.

Installation

The Trojan copies its executable file to the Windows system directory:

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:

The Trojan also extracts the file shown below from its body:

This file is 44608 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.WOW.ahe.

The Trojan also extracts the file shown below from its body:

This file is 31713 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.mdl.

Payload

The Trojan loads the .dll file to all processes launched in the system.

The Trojan intercepts mouse and keyboard events if any of the processes below have been launched:

maplestory.exe
wow.exe

It sniffs traffic sent to the following addresses:

216.107.***.53
216.107.***.51
216.107.***.52

It does this in an attempt to harvest account data for the following games:

Maple Story
World of Warcraft

and some other games. The Trojan also analyses the configuration files of the games above and attempts to harvest information about gamers' accounts on the web server.

Harvested data is sent to the remote malicious user's site.

The Trojan also modifies the following system registry key parameter values:

The Trojan also attempts to terminate the following processes:

KAV
RAV
AVP
KAVSVC

The Trojan also has worm functionality, making it able to propagate via removable storage media. The Trojan copies its executable file to the root of each drive as follows:

<X> indicates the relevant disk.

In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:

This file will launch the Trojan executable file each time the user opens the infected disk using Explorer.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the following file:
   %System%\amvo.exe
2. Reboot the computer.
3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
4. Delete the following system registry key parameter:
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "amva" = "%System%\amvo.exe"
5. Restore the original system registry key values:
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
   der\Hidden\SHOWALL]
   "CheckedValue" = "0"
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden" = "2"
   "ShowSuperHidden" = "0"
   [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
   "NoDriveTypeAutoRun" = "0x91"
6. Delete the following file:
   %System%\amvo0.dll
7. Empty the temporary directory (%Temp%).
8. Delete the files shown below from all removable disks:
   <X>:\n1deiect.com
   <x>:\autorun.inf
9. <x> stands for the letter of the removable disk.
10. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).