English

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Watch us on

Home→Descriptions→Trojan-GameThief.Win32.Magania.dlip

Trojan-GameThief.Win32.Magania.dlip

Detected	Jul 04 2010 13:37 GMT
Released	Jul 05 2010 01:38 GMT
Published	Mar 16 2011 12:23 GMT

Manual description Auto description

This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan belongs to the family of Trojans that steals passwords from online gaming user account records. It is a Windows application (PE EXE file) and is 116 736 bytes in size. It is packed using ASPack. The unpacked file is approximately 254 KB in size. It is written in C++.

Installation

After launching, it creates a copy of its executable file in the current user's Windows temporary directory:

%Temp%\dsoqq.exe

In order to ensure that it is launched automatically each time the system is rebooted, it adds a link to its executable file in the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dso32" = "%Temp%\dsoqq.exe"

Payload

Subject to the presence of a launched "AVP.exe" process, the Trojan extracts a malicious driver from its body. If "AVP.exe" has been detected, it saves the driver under the name "cdaudio.sys", or otherwise under the name "klif.sys":

%System%\drivers\klif.sys
%System%\drivers\cdaudio.sys

This file is 10 112 bytes in size.

To launch the malicious driver for execution, it creates a service with the name "KAVsys" or "AVPsys". At the same time, it adds the following information to the system registry key:

[HKLM\System\CurrentControlSet\Services\KAVsys]
"ImagePath" = "\\??\\%System%\drivers\klif.sys"
"ErrorControl" = "1"
"Start" = "3"
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\KAVsys]
"DisplayName" = "AVPsys"
"ImagePath" = "\\??\\%System%\drivers\cdaudio.sys"
"ErrorControl" = "1"
"Start" = "3"
"Type" = "1"

After launching the driver, it deletes the registry key and driver file that it created:

[HKLM\System\CurrentControlSet\Services\KAVsys]

%System%\drivers\klif.sys
%System%\drivers\cdaudio.sys

The Trojan uses the driver to hide its payload during its operations on the Internet. To avoid the system's protection and antivirus procedures, it obtains the original copy of KeServiceDescriptorTable.

It determines the language installed in the system by reading the value of the "InstallLanguage" registry key parameter:

[HKLM\SYSTEM\CurrentControlSet\Control\NLS\Language]

If the language is not Chinese, the Trojan creates a unique ID with the name

MN_XADLEBCBAXCSDFGEWQCDDD0

and searches for a process with the name "livesrv.exe" (BitDefender Security Update Service). If the process is detected, it finds the location of the executable file and moves all executable files ("exe") and library files ("dll") from this directory, keeping their original names but adding the new extension "vcd", to the root directory of the "C:\" drive.

The Trojan also searches for the process:

RavMon.exe

If the process is found, it searches for windows with the class name "#32770" and closes them.

It attempts to terminate the processes:

Nod32Kui.exe
FilMsg.exe
Twister.exe

The Trojan extracts from its body a malicious library with the name "dsoqq<rnd>.dll", where <rnd> is the number of infections of the user's computer:

%Temp%\dsoqq<rnd>.dll

This file is 76 288 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dlio (MD5:234e95554c1a96b482f3338c5a6b3ff7).

It injects the extracted library into the address space of the process "explorer.exe". After this, the Trojan deletes its original body and ceases its execution.

The malicious library may be loaded into all launched processes. It can execute the following actions, depending on the name of the process into which it has been injected:

It blocks the renewal service for Kaspersky Anti-Virus by modifying the file "PrUpdate.ppl", and also prevents the execution of renewals for the following antiviruses:
```
ALYac
Avast
AVG
Antivir Guard
McAfee 
Norton Security Suite
NOD32
Symantec 
Spyware Doctor Internet Security
Trend Micro Internet Security
Virus Chaser
```

It steals confidential data from user accounts for the following games:

World of Warcraft
MapleStory
Knight Online
Silkroad Online
Cabal Online
Metin2
Dofus
Guild Wars
Aion
Dungeon Fighter Online
Seal Online
Lineage 2
AIKA Online
Wonderland Online
MU Online

To obtain data, it analyzes the settings files, the process memory, and Internet traffic.

It analyzes traffic sent to the following addresses:

203.***.173
203.***.174
203.***.175
203.***.176
203.***.169
203.***.170
203.***.171
203.***.172
203.***.165
203.***.166
203.***.167
203.***.168
203.***.161
203.***.162
203.***.163
203.***.164
203.***.157
203.***.158
203.***.159
203.***.160
203.***.153
203.***.154
203.***.155
203.***.156
203.***.149
203.***.150
203.***.151
203.***.152
203.***.145
203.***.146
203.***.147
203.***.148
203.***.141
203.***.142
203.***.143
203.***.144
213.***.189
213.***.188
213.***.134
213.***.85
213.***.148
213.***.144
213.***.150
213.***.182 
213.***.186
213.***.149
213.***.165
213.***.183
213.***.187
213.***.141
213.***.155
213.***.142
213.***.145
213.***.164
213.***.132
38.***.209
38.***.213
38.***.217
38.***.221
38.***.227
38.***.232
38.***.237
38.***.242
202.***.11
202.***.12
202.***.13
202.***.14
202.***.15
202.***.21
202.***.22
202.***.23
202.***.24
202.***.31
202.***.32
202.***.33
202.***.34
203.***.106
203.***.107
216.***.136
206.***.163
206.***.165
206.***.131
216.***.130
216.***.133
206.***.130
206.***.162
202.***.70
202.***.130
202.***.131
202.***.132
202.***.133
202.***.134
202.***.124
202.***.125
202.***.126
202.***.127
202.***.129
202.***.105
202.***.53
202.***.55
202.***.114
202.***.135
202.***.118
202.***.119
202.***.120
202.***.121
202.***.128
202.***.72
202.***.51
202.***.52
202.***.71
202.***.115
4.***.68
4.***.69
4.***.70
4.***.71
4.***.72
4.***.73
202.***.161
202.***.163
202.***.165
202.***.110
202.***.112
202.***.114
202.***.119
202.***.121
202.***.123
202.***.49
202.***.51
202.***.54

The Trojan downloads files from the following URLs:
```
http://www.b***lop.com/1mg/am1.rar
http://www.b***ksw.com/1mg/am.rar
http://www.b***ksw.com/1mg/am1.rar
```
Depending on the URLs, they may contain links or malicious files in an encrypted form. It saves the downloaded files saved in the current user's Windows temporary directory and decrypts them, then launches them for execution:
```
%Temp%\am1.rar
%Temp%\am.rar
```
At the time of writing, the downloaded file was 196 096 bytes in size and detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Taworm.gym.

To hide files with hidden and system attributes during the use of Windows Explorer, it creates the following parameters in the system registry keys:

[HKÑU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
"CheckedValue" = "0"

It enables autorun for applications on removable media, adding the following value for the system registry key parameter:
```
[HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = "91"
```

It creates the following registry keys:

[HKCR\CLSID\MADOWN]
"urlinfo"="dswdfre.q"

[HKLM\Software\Classes\CLSID\MADOWN]
"urlinfo"="dswdfre.q"

In order to ensure that it launches automatically each time the system is rebooted, it adds a link to the Trojan's file to the system registry autorun key:
```
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dso32" = "%Temp%\dsoqq.exe"
```

It adds a mask to the NOD32 exception list for the domain from which the files are downloaded:

[HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200
\Profiles\@My profile\UrlSets\Node_00000000]
"Masks"="*www*|www.baidulop.com*"

The stolen data is sent to the malicious user's websites in the parameters for HTTP requests to the following addresses:

http://go***el6s.com/y2y3/mfg/lin.asp
http://go***el6s.com/y2y3/mwo/lin.asp
http://go***el6s.com/y2y3/mqs/lin.asp
http://go***el6s.com/y2y3/msl/lin.asp
http://go***el6s.com/y2y3/ohs/lin.asp
http://go***el6s.com/y2y3/myt/lin.asp
http://go***el6s.com/y2y3/xfg/lin.asp
http://go***el6s.com/y2y3/tjt/lin.asp
http://go***el6s.com/y2y3/odo/lin.asp
http://go***el6s.com/y2y3/ofg/lin.asp
http://go***el6s.com/y2y3/mjz/lin.asp
http://go***el6s.com/y2y3/yhz/lin.asp
http://go***el6s.com/y2y3/mnf/lin.asp
http://go***el6s.com/y2y3/txw/lin.asp
http://go***el6s.com/y2y3/mtt/lin.asp
http://go***el6s.com/y2y3/lyt/lin.asp
http://go***el6s.com/y2y3/yyt/lin.asp
http://go***el6s.com/y2y3/eyh/lin.asp
http://go***el6s.com/y2y3/mjt/lin.asp
http://go***el6s.com/y2y3/nyt/lin.asp
http://go***el6s.com/y2y3/mai/lin.asp
http://go***el6s.com/y2y3/ttd/lin.asp

It carries out a procedure to infect the disk partitions on the user's computer.

Propagation

The malicious library copies the Trojan's body to all write-accessible disk partitions on the user's computer with the following name:

<X>:\g6jk.exe

where <X> is the letter of the disk partition. Together with the copy of itself, it places the following file in the root directory of the infected disk:

<X>:\autorun.inf

This file is 55 bytes in size and is designed to automatically launch the Trojan's file for execution each time the user opens the infected partition using Explorer. At the same time, it assigns hidden and system attributes to files.

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

Use Task Manager to terminate the following processes:
```
explorer.exe
```

Delete the following files:

%Temp%\dsoqq<rnd>.dll
%Temp%\am1.rar
%Temp%\am.rar
%Temp%\dsoqq.exe
<X>:\g6jk.exe
<X>:\autorun.inf

Delete the following system registry key parameter:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dso32" = "%Temp%\dsoqq.exe"

Delete the following system registry keys:

[HKLM\Software\Classes\CLSID\MADOWN]

[HKCR\CLSID\MADOWN]

Empty the Temporary Internet Files directory:
```
%Temporary Internet Files%
```

If necessary, restore the values of the following registry key parameters:

[HKÑU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = "91"
[HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200
\Profiles\@My profile\UrlSets\Node_00000000]
"Masks"="*www*|www.baidulop.com*"
to the following:
[HKÑU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced]
"Hidden" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced]
"ShowSuperHidden"= "1"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "1"
[HKÑU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = "255"
[HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200
\Profiles\@My profile\UrlSets\Node_00000000]
"Masks" = ""

Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

md5: 09CF984B26C7CE307F4841D79A919B09
sha1: E298C5C414B1599EC865A0927CEFF3C0FAB943EC

Summary

Trojan. Performs actions that are typical of malicious programs

Performs potentially dangerous activity

Technical details

File size of 116736 bytes.

Installation

Makes copies of itself with the following names once launched:

Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\dsoqq.exe

Creates the following files on an infected computer:

Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\dsoqq0.dll (Kaspersky Anti-Virus detects as Trojan-GameThief.Win32.Magania.dlio)

Ensures Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of the following installed files:

by adding values to autorun keys in the system registry:

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "dso32" = " Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\dsoqq.exe"

Malicious activity

Injects its code into the following processes:

explorer.exe

Modifies (deletes) Windows system files:

Windows system directory (usually, C:\Windows\System32) %System%\drivers\cdaudio.sys

Searches for message windows in order to protect against firewalls and antivirus programs

Class: AVP.AlertDialog

Class: AVP.Product_Notification

clicking on the relevant button allows the program to perform the requested action

Uses the masks shown below to search for files on the victim machine:

Other activities

Installs the following system services (drivers):

Service name: AVPsys

Displayed service name: AVPsys

Startup parameters Windows system directory (usually, C:\Windows\System32) %System%\drivers\cdaudio.sys

Startup type: on demand

Modifies the status of the following system services:

Service name: AVPsys

Displayed service name: AVPsys

Startup parameters Windows system directory (usually, C:\Windows\System32) %System%\drivers\cdaudio.sys

Deletes the following files on an infected computer:

Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\dsoqq.exe
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\dsoqq0.dll

Malicious programs

Trojans

Trojan-GameThief

This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.

Other versions

Trojan-GameThief.Win32.Magania.cnkt

Trojan-GameThief.Win32.Magania.dbtv

Aliases

Trojan-GameThief.Win32.Magania.dlip (Kaspersky Lab) is also known as:

Trojan: Generic PWS.ak (McAfee)
Mal/Taterf-B (Sophos)
Trojan.OnlineGames-3357 (ClamAV)
Trj/Lineage.BZE (Panda)
Worm:Win32/Taterf.B (MS(OneCare))
Trojan.PWS.Wsgame.13295 (DrWeb)
Win32/PSW.OnLineGames.OUM trojan (Nod32)
Trojan.Generic.4370497 (BitDef7)
Trojan.PWS.Magania!VH/bELmvfmY (VirusBuster)
Win32:Malware-gen (AVAST)
Trojan-GameThief.Win32.Magania (Ikarus)
Win32/NSAnti.J (AVG)
TR/Spy.Taterf.K (AVIRA)
Trojan.Gen (NAV)
W32/Malware.NATD (Norman)
Trojan.Win32.Generic.521C0496 (Rising)
Trojan-GameThief.Win32.Magania.dlip [AVP] (FSecure)
WORM_TATERF.IK (TrendMicro)
BehavesLike.Win32.Malware (v) (Sunbelt)
Trojan.PWS.Magania!VH/bELmvfmY (VirusBusterBeta)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

securelist.com

Service name:	AVPsys
Displayed service name:	AVPsys
Startup parameters	Windows system directory (usually, C:\Windows\System32) %System%\drivers\cdaudio.sys
Startup type:	on demand