English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-GameThief.Win32.Magania.dlip

Detected Jul 04 2010 13:37 GMT
Released Jul 05 2010 01:38 GMT
Published Mar 16 2011 12:23 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan belongs to the family of Trojans that steals passwords from online gaming user account records. It is a Windows application (PE EXE file) and is 116 736 bytes in size. It is packed using ASPack. The unpacked file is approximately 254 KB in size. It is written in C++.

Installation

After launching, it creates a copy of its executable file in the current user's Windows temporary directory:

%Temp%\dsoqq.exe
In order to ensure that it is launched automatically each time the system is rebooted, it adds a link to its executable file in the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dso32" = "%Temp%\dsoqq.exe"


Payload

Subject to the presence of a launched "AVP.exe" process, the Trojan extracts a malicious driver from its body. If "AVP.exe" has been detected, it saves the driver under the name "cdaudio.sys", or otherwise under the name "klif.sys":

%System%\drivers\klif.sys
%System%\drivers\cdaudio.sys
This file is 10 112 bytes in size.

To launch the malicious driver for execution, it creates a service with the name "KAVsys" or "AVPsys". At the same time, it adds the following information to the system registry key:

[HKLM\System\CurrentControlSet\Services\KAVsys]
"ImagePath" = "\\??\\%System%\drivers\klif.sys"
"ErrorControl" = "1"
"Start" = "3"
"Type" = "1"
or
[HKLM\System\CurrentControlSet\Services\KAVsys]
"DisplayName" = "AVPsys"
"ImagePath" = "\\??\\%System%\drivers\cdaudio.sys"
"ErrorControl" = "1"
"Start" = "3"
"Type" = "1"
After launching the driver, it deletes the registry key and driver file that it created:
[HKLM\System\CurrentControlSet\Services\KAVsys]

%System%\drivers\klif.sys
%System%\drivers\cdaudio.sys
The Trojan uses the driver to hide its payload during its operations on the Internet. To avoid the system's protection and antivirus procedures, it obtains the original copy of KeServiceDescriptorTable.

It determines the language installed in the system by reading the value of the "InstallLanguage" registry key parameter:

[HKLM\SYSTEM\CurrentControlSet\Control\NLS\Language]
If the language is not Chinese, the Trojan creates a unique ID with the name
MN_XADLEBCBAXCSDFGEWQCDDD0
and searches for a process with the name "livesrv.exe" (BitDefender Security Update Service). If the process is detected, it finds the location of the executable file and moves all executable files ("exe") and library files ("dll") from this directory, keeping their original names but adding the new extension "vcd", to the root directory of the "C:\" drive.

The Trojan also searches for the process:

RavMon.exe
If the process is found, it searches for windows with the class name "#32770" and closes them.

It attempts to terminate the processes:

Nod32Kui.exe
FilMsg.exe
Twister.exe
The Trojan extracts from its body a malicious library with the name "dsoqq<rnd>.dll", where <rnd> is the number of infections of the user's computer:
%Temp%\dsoqq<rnd>.dll
This file is 76 288 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dlio (MD5:234e95554c1a96b482f3338c5a6b3ff7).

It injects the extracted library into the address space of the process "explorer.exe". After this, the Trojan deletes its original body and ceases its execution.

The malicious library may be loaded into all launched processes. It can execute the following actions, depending on the name of the process into which it has been injected:

  • It blocks the renewal service for Kaspersky Anti-Virus by modifying the file "PrUpdate.ppl", and also prevents the execution of renewals for the following antiviruses:
    ALYac
    Avast
    AVG
    Antivir Guard
    McAfee 
    Norton Security Suite
    NOD32
    Symantec 
    Spyware Doctor Internet Security
    Trend Micro Internet Security
    Virus Chaser
    
  • It steals confidential data from user accounts for the following games:
    World of Warcraft
    MapleStory
    Knight Online
    Silkroad Online
    Cabal Online
    Metin2
    Dofus
    Guild Wars
    Aion
    Dungeon Fighter Online
    Seal Online
    Lineage 2
    AIKA Online
    Wonderland Online
    MU Online
    
    To obtain data, it analyzes the settings files, the process memory, and Internet traffic.
  • It analyzes traffic sent to the following addresses:
    203.***.173
    203.***.174
    203.***.175
    203.***.176
    203.***.169
    203.***.170
    203.***.171
    203.***.172
    203.***.165
    203.***.166
    203.***.167
    203.***.168
    203.***.161
    203.***.162
    203.***.163
    203.***.164
    203.***.157
    203.***.158
    203.***.159
    203.***.160
    203.***.153
    203.***.154
    203.***.155
    203.***.156
    203.***.149
    203.***.150
    203.***.151
    203.***.152
    203.***.145
    203.***.146
    203.***.147
    203.***.148
    203.***.141
    203.***.142
    203.***.143
    203.***.144
    213.***.189
    213.***.188
    213.***.134
    213.***.85
    213.***.148
    213.***.144
    213.***.150
    213.***.182 
    213.***.186
    213.***.149
    213.***.165
    213.***.183
    213.***.187
    213.***.141
    213.***.155
    213.***.142
    213.***.145
    213.***.164
    213.***.132
    38.***.209
    38.***.213
    38.***.217
    38.***.221
    38.***.227
    38.***.232
    38.***.237
    38.***.242
    202.***.11
    202.***.12
    202.***.13
    202.***.14
    202.***.15
    202.***.21
    202.***.22
    202.***.23
    202.***.24
    202.***.31
    202.***.32
    202.***.33
    202.***.34
    203.***.106
    203.***.107
    216.***.136
    206.***.163
    206.***.165
    206.***.131
    216.***.130
    216.***.133
    206.***.130
    206.***.162
    202.***.70
    202.***.130
    202.***.131
    202.***.132
    202.***.133
    202.***.134
    202.***.124
    202.***.125
    202.***.126
    202.***.127
    202.***.129
    202.***.105
    202.***.53
    202.***.55
    202.***.114
    202.***.135
    202.***.118
    202.***.119
    202.***.120
    202.***.121
    202.***.128
    202.***.72
    202.***.51
    202.***.52
    202.***.71
    202.***.115
    4.***.68
    4.***.69
    4.***.70
    4.***.71
    4.***.72
    4.***.73
    202.***.161
    202.***.163
    202.***.165
    202.***.110
    202.***.112
    202.***.114
    202.***.119
    202.***.121
    202.***.123
    202.***.49
    202.***.51
    202.***.54
    
  • The Trojan downloads files from the following URLs:
    http://www.b***lop.com/1mg/am1.rar
    http://www.b***ksw.com/1mg/am.rar
    http://www.b***ksw.com/1mg/am1.rar
    
    Depending on the URLs, they may contain links or malicious files in an encrypted form. It saves the downloaded files saved in the current user's Windows temporary directory and decrypts them, then launches them for execution:
    %Temp%\am1.rar
    %Temp%\am.rar
    
    At the time of writing, the downloaded file was 196 096 bytes in size and detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Taworm.gym.
  • To hide files with hidden and system attributes during the use of Windows Explorer, it creates the following parameters in the system registry keys:
    [HKÑU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden" = "2"
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ShowSuperHidden" = "0"
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    Folder\Hidden\SHOWALL]
    "CheckedValue" = "0"
    
  • It enables autorun for applications on removable media, adding the following value for the system registry key parameter:
    [HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun" = "91"
    
  • It creates the following registry keys:
    [HKCR\CLSID\MADOWN]
    "urlinfo"="dswdfre.q"
    
    [HKLM\Software\Classes\CLSID\MADOWN]
    "urlinfo"="dswdfre.q"
    
  • In order to ensure that it launches automatically each time the system is rebooted, it adds a link to the Trojan's file to the system registry autorun key:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "dso32" = "%Temp%\dsoqq.exe"
    
  • It adds a mask to the NOD32 exception list for the domain from which the files are downloaded:
    [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200
    \Profiles\@My profile\UrlSets\Node_00000000]
    "Masks"="*www*|www.baidulop.com*"
    
  • The stolen data is sent to the malicious user's websites in the parameters for HTTP requests to the following addresses:
    http://go***el6s.com/y2y3/mfg/lin.asp
    http://go***el6s.com/y2y3/mwo/lin.asp
    http://go***el6s.com/y2y3/mqs/lin.asp
    http://go***el6s.com/y2y3/msl/lin.asp
    http://go***el6s.com/y2y3/ohs/lin.asp
    http://go***el6s.com/y2y3/myt/lin.asp
    http://go***el6s.com/y2y3/xfg/lin.asp
    http://go***el6s.com/y2y3/tjt/lin.asp
    http://go***el6s.com/y2y3/odo/lin.asp
    http://go***el6s.com/y2y3/ofg/lin.asp
    http://go***el6s.com/y2y3/mjz/lin.asp
    http://go***el6s.com/y2y3/yhz/lin.asp
    http://go***el6s.com/y2y3/mnf/lin.asp
    http://go***el6s.com/y2y3/txw/lin.asp
    http://go***el6s.com/y2y3/mtt/lin.asp
    http://go***el6s.com/y2y3/lyt/lin.asp
    http://go***el6s.com/y2y3/yyt/lin.asp
    http://go***el6s.com/y2y3/eyh/lin.asp
    http://go***el6s.com/y2y3/mjt/lin.asp
    http://go***el6s.com/y2y3/nyt/lin.asp
    http://go***el6s.com/y2y3/mai/lin.asp
    http://go***el6s.com/y2y3/ttd/lin.asp
    
  • It carries out a procedure to infect the disk partitions on the user's computer.

Propagation

The malicious library copies the Trojan's body to all write-accessible disk partitions on the user's computer with the following name:

<X>:\g6jk.exe
where <X> is the letter of the disk partition. Together with the copy of itself, it places the following file in the root directory of the infected disk:
<X>:\autorun.inf
This file is 55 bytes in size and is designed to automatically launch the Trojan's file for execution each time the user opens the infected partition using Explorer. At the same time, it assigns hidden and system attributes to files.


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the following processes:
    explorer.exe
  2. Delete the following files:
    %Temp%\dsoqq<rnd>.dll
    %Temp%\am1.rar
    %Temp%\am.rar
    %Temp%\dsoqq.exe
    <X>:\g6jk.exe
    <X>:\autorun.inf
    
  3. Delete the following system registry key parameter:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "dso32" = "%Temp%\dsoqq.exe"
    
  4. Delete the following system registry keys:
    [HKLM\Software\Classes\CLSID\MADOWN]
    
    [HKCR\CLSID\MADOWN]
    
  5. Empty the Temporary Internet Files directory:
    %Temporary Internet Files%
  6. If necessary, restore the values of the following registry key parameters:
    [HKÑU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden" = "2"
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ShowSuperHidden" = "0"
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    Folder\Hidden\SHOWALL]
    "CheckedValue" = "0"
    [HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun" = "91"
    [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200
    \Profiles\@My profile\UrlSets\Node_00000000]
    "Masks"="*www*|www.baidulop.com*"
    to the following:
    [HKÑU\Software\Microsoft\Windows\CurrentVersion\Explorer\
    Advanced]
    "Hidden" = "1"
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
    Advanced]
    "ShowSuperHidden"= "1"
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
    Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue" = "1"
    [HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun" = "255"
    [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200
    \Profiles\@My profile\UrlSets\Node_00000000]
    "Masks" = ""
    
  7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

md5: 09CF984B26C7CE307F4841D79A919B09
sha1: E298C5C414B1599EC865A0927CEFF3C0FAB943EC


Bookmark and Share
Share
Trojan-GameThief

This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.


Other versions

Aliases

Trojan-GameThief.Win32.Magania.dlip (Kaspersky Lab) is also known as:

  • Trojan: Generic PWS.ak (McAfee)
  • Mal/Taterf-B (Sophos)
  • Trojan.OnlineGames-3357 (ClamAV)
  • Trj/Lineage.BZE (Panda)
  • Worm:Win32/Taterf.B (MS(OneCare))
  • Trojan.PWS.Wsgame.13295 (DrWeb)
  • Win32/PSW.OnLineGames.OUM trojan (Nod32)
  • Trojan.Generic.4370497 (BitDef7)
  • Trojan.PWS.Magania!VH/bELmvfmY (VirusBuster)
  • Win32:Malware-gen (AVAST)
  • Trojan-GameThief.Win32.Magania (Ikarus)
  • Win32/NSAnti.J (AVG)
  • TR/Spy.Taterf.K (AVIRA)
  • Trojan.Gen (NAV)
  • W32/Malware.NATD (Norman)
  • Trojan.Win32.Generic.521C0496 (Rising)
  • Trojan-GameThief.Win32.Magania.dlip [AVP] (FSecure)
  • WORM_TATERF.IK (TrendMicro)
  • BehavesLike.Win32.Malware (v) (Sunbelt)
  • Trojan.PWS.Magania!VH/bELmvfmY (VirusBusterBeta)