English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-GameThief.Win32.Magania.dbtv

Detected Apr 14 2010 20:40 GMT
Released Apr 16 2010 06:09 GMT
Published Oct 25 2010 13:34 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan belongs to the family of Trojans that steals passwords from online gaming user accounts. It is a Windows application (PE EXE file). The file is 126 464 bytes in size. It is packed using ASPack. The unpacked file is approximately 516 KB in size. It is written in C++.

Installation

Once launched, the Trojan copies its original body to the current user's temporary files directory under the following name:

%Temp%\herss.exe
It assigns "Hidden", "Read Only", and "System" attributes to this file. In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cdoosoft"="%Temp%\herss.exe"


Payload

Once launched, the Trojan increases its privileges to gain access to other processes. Subject to the presence of a launched "AVP.exe" process, the Trojan extracts a malicious driver from its body, under various names. If "AVP.exe" is not found, it saves the driver under the name:

%System%\drivers\klif.sys
The file is 3840 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.Zapchast.ccf.

If the "AVP.exe" antivirus process is detected, the Trojan rewrites the system driver for Microsoft CD-ROM audio filter:

%System%\drivers\cdaudio.sys
It creates the service called "KAVsys" and uses it to launch the malicious driver. After launching the driver, the Trojan deletes the following registry key:
[HKLM\System\CurrentControlSet\Services\KAVsys]
and also deletes the file itself:
%System%\drivers\klif.sys
or:
%System%\drivers\cdaudio.sys
It searches for a process with the name "livesrv.exe" (BitDefender Security Update Service). After detecting a launched "livesrv.exe" process, the Trojan finds the location of the executable file and moves from this directory to the root directory of the logical C drive all executable files ("exe") and library files ("dll") with their original names, adding the new "vcd" extension, for example:
C:\livesrv.exe.vcd
It finds and opens Explorer:
%WinDir%\explorer.exe
If the original Trojan file is not located in the local drive's root directory, the malware ceases running. In other cases the Trojan uses Explorer to open the root directory of the local disk where its executable file is located. In order to ensure that its process is unique in the system, the Trojan creates unique identifiers called "Game_start", "DALXBHDFGERTONGOJK_POP", "MN_XADLEBCBAXCSDFGEWQCDDD0", and "KJLDSOIUBGDSEROPOFGSFSIKDQ_MN". The Trojan then extracts a malicious library from its body and saves it under the following name:
%Temp%\cvasds<rnd>.dll
where rnd is a decimal number.

The file is 86 016 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dbtv.

It assigns "Hidden", "Read Only", and "System" attributes to this file. In a separate stream, 72 000 times per cycle the Trojan searches for Kaspersky Anti-Virus windows with the class names "AVP.AlertDialog" and "AVP.Product_Notification". The Trojan closes the window with the class name "AVP.AlertDialog" by simulating a mouse click on the dialog window. It closes the window with the class name "AVP.Product_Notification" by sending a close message to this window. It searches for the process:

RavMon.exe
When this process is found in all streams, it searches for windows with the class name "#32770" and attempts to close them. It injects its malicious code into the address space of the process "explorer.exe". This launches for execution the malicious library "cvasds<rnd>.dll". The Trojan's library is injected into all launched applications. The Trojan uses this library to perform the following actions:
  • It determines the language installed in the system by reading the value of the "InstallLanguage" registry key parameter:
    [HKLM\System\CurrentControlSet\Control\Nls\Language]
  • In order to hide files with "Hidden" and "System" attributes, the Trojan creates the following parameters in the system registry keys:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden"=dword:00000002
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ShowSuperHidden"=dword:00000000
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue"=dword:00000000
    
  • If "iexplore.exe" is the parent process for this library, every 500 milliseconds the Trojan searches the stream for a window with the class name "IEFrame". If successful, it returns the descriptor of the found window to later process data entered into the browser by the user.
  • It enables autorun for applications on removable media, adding the following value for the system registry key parameter:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    
  • It creates the following registry keys:
    [HKCR\CLSID\MADOWN]
    "urlinfo"="dswdfre.q"
    
    [HKLM\Software\Classes\CLSID\MADOWN]
    "urlinfo"="dswdfre.q"
    
  • It adds a mask to the NOD32 exception list for the domain from which the files are downloaded:
    [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
    "Masks"="*www*|www.16***.com*"
    
  • It downloads malware from the following URLs:
    http://www.16***u.com/1mg/am.rar
    http://www.go***ccf.com/1mg/am1.rar
    The files are saved in the current user's temporary files directory under the following names, respectively:
    %Temp%\am.exe
    %Temp%\am1.exe
    
    The file is 159 232 bytes in size.It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dtyy.

    The Trojan then opens the file, decrypts the header of the executable file, and launches it for execution. The malware extracts the executable file into the current user's temporary files directory under the name:

    %Temp%\apiqq.exe
    Then, in order to ensure that it is launched automatically each time the system is rebooted, it adds a link to the executable file in the system registry autorun key:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "api32" = "%Temp%\apiqq.exe"
    
    It extracts a malicious library from its body, and saves it under one of the following names:
    %Temp%\apiqq0.dll 
    %Temp%\apiqq1.dll
    
    This file is 98 304 bytes in size.It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dtyy.
  • Once the system is rebooted, the Trojan deletes all interceptors installed in SSDT (System Service Dispatch Table), including antivirus applications.
  • It blocks the renewal service for Kaspersky Anti-Virus by modifying the file "PrUpdate.ppl", and also prevents the execution of renewals for the following antiviruses:
    ALYac
    Avast
    AVG
    Antivir Guard
    McAfee 
    Norton Security Suite
    NOD32
    Symantec 
    Spyware Doctor Internet Security
    Trend Micro Internet Security
    Virus Chaser
    
  • It steals confidential data from user accounts for the following games:
    World of Warcraft
    SilkRoad Online
    Knight Online
    CABAL Online
    Metin2
    MapleStory
    Dofus
    Guild Wars
    Aion
    Dungeon Fighter Online
    MU Online
    Seal Online
    EVE Online
    
  • The Trojan sends the collected data to the malicious user's server via the following links:
    http://go***6s.com/y2y3/mfg/lin.asp
    http://go***6s.com/y2y3/mwo/lin.asp
    http://go***6s.com/y2y3/mqs/lin.asp
    http://go***6s.com/y2y3/msl/lin.asp
    http://go***6s.com/y2y3/ohs/lin.asp
    http://go***6s.com/y2y3/myt/lin.asp
    http://go***6s.com/y2y3/xfg/lin.asp
    http://go***6s.com/y2y3/tjt/lin.asp
    http://go***6s.com/y2y3/odo/lin.asp
    http://go***6s.com/y2y3/ofg/lin.asp
    http://go***6s.com/y2y3/dyt/lin.asp
    http://go***6s.com/y2y3/mjz/lin.asp
    http://go***6s.com/y2y3/yhz/lin.asp
    http://go***6s.com/y2y3/mnf/lin.asp
    http://go***6s.com/y2y3/mmu/lin.asp
    http://go***6s.com/y2y3/txw/lin.asp
    http://go***6s.com/y2y3/mev/lin.asp
    

Propagation

For its subsequent propagation the Trojan copies the following file:

%Temp%\herss.exe
into the root directories of all local drives, network drives, and removable drives, under the name:
X:\wyskq6lt.exe
where X is the letter of the disk partition. The Trojan creates the below file to autorun the executable file:
X:\autorun.inf
It writes the following strings to this file:
[AutoRun]
open=wyskq6lt.exe
shell\open\Command=wyskq6lt.exe
The Trojan assigns "Hidden", "Read Only", and "System" attributes to the created files.


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the following system registry key parameters:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "api32" = "%Temp%\apiqq.exe"
    "cdoosoft"="%Temp%\herss.exe"
    
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Modify the following registry key parameters:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden"=dword:00000002
     [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ShowSuperHidden"=dword:00000000
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue"=dword:00000000
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
    "Masks"="*www*|www.163*.com*"
    To
    [
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden"=dword:00000001
     [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ShowSuperHidden"=dword:00000001
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue"=dword:00000001
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun"=dword:00000255
    [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
    "Masks"=""
    
  4. Delete the following registry keys:
    [HKCR\CLSID\MADOWN]
    [HKLM\Software\Classes\CLSID\MADOWN]
    
  5. Delete the following files:
    %Temp%\herss.exe
    %Temp%\apiqq.exe
    %Temp%\apiqq0.dll 
    %Temp%\apiqq1.dll
    %Temp%\am.exe
    %Temp%\am1.exe
    X:\wyskq6lt.exe
    X:\autorun.inf
    %Temp%\cvasds<rnd>.dll
    
    where rnd is a decimal number.
  6. Restore antivirus components.
  7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

[MD5: b06f47faeba87fe46cde3dfcfc7e3fa7]
[SHA1: 0ef51ea12b22cb78ce0d037baafddfa830d17606]


Bookmark and Share
Share
Trojan-GameThief

This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.


Other versions

Aliases

Trojan-GameThief.Win32.Magania.dbtv (Kaspersky Lab) is also known as:

  • Trojan.OnlineGames-2954 (ClamAV)
  • W32/Lineage.LKJ (Panda)
  • PWS:Win32/Frethog.gen!H (MS(OneCare))
  • Trojan.PWS.Wsgame.12661 (DrWeb)
  • Trojan.PWS.Onlinegames.KDGD (BitDef7)
  • Trojan.PWS.Magania!2FFqquv4eJs (VirusBuster)
  • Win32:Rootkit-gen [Rtk] (AVAST)
  • Worm.Win32.Taterf (Ikarus)
  • Win32/NSAnti.J (AVG)
  • W32.Gammima.AG!gen6 (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.PWS.Magania!2FFqquv4eJs (VirusBusterBeta)