Trojan-GameThief.Win32.Magania.dbtv

Technical Details
Payload
Removal instructions

Technical Details

This Trojan belongs to the family of Trojans that steals passwords from online gaming user accounts. It is a Windows application (PE EXE file). The file is 126 464 bytes in size. It is packed using ASPack. The unpacked file is approximately 516 KB in size. It is written in C++.

Installation

Once launched, the Trojan copies its original body to the current user's temporary files directory under the following name:

%Temp%\herss.exe

It assigns "Hidden", "Read Only", and "System" attributes to this file. In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cdoosoft"="%Temp%\herss.exe"

Payload

Once launched, the Trojan increases its privileges to gain access to other processes. Subject to the presence of a launched "AVP.exe" process, the Trojan extracts a malicious driver from its body, under various names. If "AVP.exe" is not found, it saves the driver under the name:

%System%\drivers\klif.sys

The file is 3840 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.Zapchast.ccf.

If the "AVP.exe" antivirus process is detected, the Trojan rewrites the system driver for Microsoft CD-ROM audio filter:

%System%\drivers\cdaudio.sys

It creates the service called "KAVsys" and uses it to launch the malicious driver. After launching the driver, the Trojan deletes the following registry key:

[HKLM\System\CurrentControlSet\Services\KAVsys]

and also deletes the file itself:

%System%\drivers\klif.sys

or:

%System%\drivers\cdaudio.sys

It searches for a process with the name "livesrv.exe" (BitDefender Security Update Service). After detecting a launched "livesrv.exe" process, the Trojan finds the location of the executable file and moves from this directory to the root directory of the logical C drive all executable files ("exe") and library files ("dll") with their original names, adding the new "vcd" extension, for example:

C:\livesrv.exe.vcd

It finds and opens Explorer:

%WinDir%\explorer.exe

If the original Trojan file is not located in the local drive's root directory, the malware ceases running. In other cases the Trojan uses Explorer to open the root directory of the local disk where its executable file is located. In order to ensure that its process is unique in the system, the Trojan creates unique identifiers called "Game_start", "DALXBHDFGERTONGOJK_POP", "MN_XADLEBCBAXCSDFGEWQCDDD0", and "KJLDSOIUBGDSEROPOFGSFSIKDQ_MN". The Trojan then extracts a malicious library from its body and saves it under the following name:

%Temp%\cvasds<rnd>.dll

where rnd is a decimal number.

The file is 86 016 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dbtv.

It assigns "Hidden", "Read Only", and "System" attributes to this file. In a separate stream, 72 000 times per cycle the Trojan searches for Kaspersky Anti-Virus windows with the class names "AVP.AlertDialog" and "AVP.Product_Notification". The Trojan closes the window with the class name "AVP.AlertDialog" by simulating a mouse click on the dialog window. It closes the window with the class name "AVP.Product_Notification" by sending a close message to this window. It searches for the process:

RavMon.exe

When this process is found in all streams, it searches for windows with the class name "#32770" and attempts to close them. It injects its malicious code into the address space of the process "explorer.exe". This launches for execution the malicious library "cvasds<rnd>.dll". The Trojan's library is injected into all launched applications. The Trojan uses this library to perform the following actions:

• It determines the language installed in the system by reading the value of the "InstallLanguage" registry key parameter:

  [HKLM\System\CurrentControlSet\Control\Nls\Language]

• In order to hide files with "Hidden" and "System" attributes, the Trojan creates the following parameters in the system registry keys:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
  "Hidden"=dword:00000002
  [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
  "ShowSuperHidden"=dword:00000000
  [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
  "CheckedValue"=dword:00000000
  

• If "iexplore.exe" is the parent process for this library, every 500 milliseconds the Trojan searches the stream for a window with the class name "IEFrame". If successful, it returns the descriptor of the found window to later process data entered into the browser by the user.
• It enables autorun for applications on removable media, adding the following value for the system registry key parameter:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoDriveTypeAutoRun"=dword:00000091
  

• It creates the following registry keys:

  [HKCR\CLSID\MADOWN]
  "urlinfo"="dswdfre.q"
  
  [HKLM\Software\Classes\CLSID\MADOWN]
  "urlinfo"="dswdfre.q"
  

• It adds a mask to the NOD32 exception list for the domain from which the files are downloaded:

  [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
  "Masks"="*www*|www.16***.com*"
  

• It downloads malware from the following URLs:

  http://www.16***u.com/1mg/am.rar
  http://www.go***ccf.com/1mg/am1.rar

  The files are saved in the current user's temporary files directory under the following names, respectively:

  %Temp%\am.exe
  %Temp%\am1.exe
  

  The file is 159 232 bytes in size.It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dtyy.

  The Trojan then opens the file, decrypts the header of the executable file, and launches it for execution. The malware extracts the executable file into the current user's temporary files directory under the name:

  %Temp%\apiqq.exe

  Then, in order to ensure that it is launched automatically each time the system is rebooted, it adds a link to the executable file in the system registry autorun key:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
  "api32" = "%Temp%\apiqq.exe"
  

  It extracts a malicious library from its body, and saves it under one of the following names:

  %Temp%\apiqq0.dll 
  %Temp%\apiqq1.dll
  

  This file is 98 304 bytes in size.It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dtyy.
• Once the system is rebooted, the Trojan deletes all interceptors installed in SSDT (System Service Dispatch Table), including antivirus applications.
• It blocks the renewal service for Kaspersky Anti-Virus by modifying the file "PrUpdate.ppl", and also prevents the execution of renewals for the following antiviruses:

  ALYac
  Avast
  AVG
  Antivir Guard
  McAfee 
  Norton Security Suite
  NOD32
  Symantec 
  Spyware Doctor Internet Security
  Trend Micro Internet Security
  Virus Chaser
  

• It steals confidential data from user accounts for the following games:

  World of Warcraft
  SilkRoad Online
  Knight Online
  CABAL Online
  Metin2
  MapleStory
  Dofus
  Guild Wars
  Aion
  Dungeon Fighter Online
  MU Online
  Seal Online
  EVE Online
  

• The Trojan sends the collected data to the malicious user's server via the following links:

  http://go***6s.com/y2y3/mfg/lin.asp
  http://go***6s.com/y2y3/mwo/lin.asp
  http://go***6s.com/y2y3/mqs/lin.asp
  http://go***6s.com/y2y3/msl/lin.asp
  http://go***6s.com/y2y3/ohs/lin.asp
  http://go***6s.com/y2y3/myt/lin.asp
  http://go***6s.com/y2y3/xfg/lin.asp
  http://go***6s.com/y2y3/tjt/lin.asp
  http://go***6s.com/y2y3/odo/lin.asp
  http://go***6s.com/y2y3/ofg/lin.asp
  http://go***6s.com/y2y3/dyt/lin.asp
  http://go***6s.com/y2y3/mjz/lin.asp
  http://go***6s.com/y2y3/yhz/lin.asp
  http://go***6s.com/y2y3/mnf/lin.asp
  http://go***6s.com/y2y3/mmu/lin.asp
  http://go***6s.com/y2y3/txw/lin.asp
  http://go***6s.com/y2y3/mev/lin.asp
  

Propagation

For its subsequent propagation the Trojan copies the following file:

%Temp%\herss.exe

into the root directories of all local drives, network drives, and removable drives, under the name:

X:\wyskq6lt.exe

where X is the letter of the disk partition. The Trojan creates the below file to autorun the executable file:

X:\autorun.inf

It writes the following strings to this file:

[AutoRun]
open=wyskq6lt.exe
shell\open\Command=wyskq6lt.exe

The Trojan assigns "Hidden", "Read Only", and "System" attributes to the created files.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Delete the following system registry key parameters:

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "api32" = "%Temp%\apiqq.exe"
   "cdoosoft"="%Temp%\herss.exe"
   

2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
3. Modify the following registry key parameters:

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden"=dword:00000002
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "ShowSuperHidden"=dword:00000000
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
   "CheckedValue"=dword:00000000
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   "NoDriveTypeAutoRun"=dword:00000091
   [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
   "Masks"="*www*|www.163*.com*"

   To

   [
   HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden"=dword:00000001
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "ShowSuperHidden"=dword:00000001
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
   "CheckedValue"=dword:00000001
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   "NoDriveTypeAutoRun"=dword:00000255
   [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
   "Masks"=""
   

4. Delete the following registry keys:

   [HKCR\CLSID\MADOWN]
   [HKLM\Software\Classes\CLSID\MADOWN]
   

5. Delete the following files:

   %Temp%\herss.exe
   %Temp%\apiqq.exe
   %Temp%\apiqq0.dll 
   %Temp%\apiqq1.dll
   %Temp%\am.exe
   %Temp%\am1.exe
   X:\wyskq6lt.exe
   X:\autorun.inf
   %Temp%\cvasds<rnd>.dll
   

   where rnd is a decimal number.
6. Restore antivirus components.
7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

[MD5: b06f47faeba87fe46cde3dfcfc7e3fa7]
[SHA1: 0ef51ea12b22cb78ce0d037baafddfa830d17606]

Summary

• Trojan. Performs actions that are typical of malicious programs

• Performs potentially dangerous activity

Technical details

File size of 126464 bytes.

Installation

Makes copies of itself with the following names once launched:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\herss.exe

Creates the following files on an infected computer:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\cvasds0.dll (­Kaspersky Anti-Virus detects as­ Trojan-GameThief.Win32.Magania.dbtv)

Ensures Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of the following installed files:

by adding values to autorun keys in the system registry:

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "cdoosoft" = " Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\herss.exe"

Malicious activity

Injects its code into the following processes:

• explorer.exe

Modifies (deletes) Windows system files:

• Windows system directory (usually, C:\Windows\System32) %System%\drivers\cdaudio.sys

Searches for message windows in order to protect against firewalls and antivirus programs

Class:	AVP.AlertDialog
Class:	AVP.Product_Notification

clicking on the relevant button allows the program to perform the requested action

Uses the masks shown below to search for files on the victim machine:

• *.*

Other activities

Installs the following system services (drivers):

Service name:	AVPsys
Displayed service name:	AVPsys
Startup parameters	Windows system directory (usually, C:\Windows\System32) %System%\drivers\cdaudio.sys
Startup type:	­on demand­

Modifies the status of the following system services:

Service name:	AVPsys
Displayed service name:	AVPsys
Startup parameters	Windows system directory (usually, C:\Windows\System32) %System%\drivers\cdaudio.sys

Deletes the following files on an infected computer:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\herss.exe
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\cvasds0.dll