Virus Characteristics
-------Updated on jun 8, 2013--------------
Aliases -
- Kaspersky - Trojan-GameThief.Win32.Magania.cbdy
- Microsoft - worm:win32/taterf.b
- Symantec - W32.Gammima
- Nod32 - Win32/Pacex.Gen
Characteristics –
Generic PWS.ak is a worm spread via removable drives and mapped system drives in order to steal sensitive information and gaming account information from the compromised machine. It also injects itself into the system running process to hide itself from the user.
The Worm also executes upon every system boot and drops a dll file into %WINDIR%\system32 folder and injects the dll file into the all system running process.
When executed the Trojan copies itself into the following location:
- %System drive%\autorun.inf
- %System drive%\tv1nlbfg.exe
- [Removable drive:]\autorun.inf
- [Removable drive:]\ tv1nlbfg.exe
- %Temp%\4tddfwq1.dll
- %Temp%\xvassdf.exe
This Worm also attempts to create an autorun.inf file on the root of any accessible disk volumes.
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
The autorun.inf is configured to launch the worm file via the following command syntax.
[AutoRun]
open=tv1nlbfg.exe
shell\open\Command=tv1nlbfg.exe
The following registry key values have been added to the system.
- HKEY_USERS\S-1-5-21[Varies] \Software\Microsoft\Windows\CurrentVersion\Run\54dfsger: "%Temp%\xvassdf.exe"
The above registry key ensures that the Worm executes itself upon system boot.
The following registry values have been modified:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
- HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000001
- HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002
- HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000001
- HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000
The above mentioned registry ensures that, the worm hides’ files itself from the user.
-------------------------------------------------------------------------------------------------------
-------Updated on Jan 25, 2013--------------
Aliases -
- Kaspersky - Packed.Win32.Krap.b
- Microsoft - worm:win32/taterf.b
- Symantec - Trojan.Packed.NsAnti
- Nod32 - Win32/Pacex.Gen virus (variant)
Characteristics –
"Generic PWS.ak" is a worm spread via removable drives and mapped system drives in order to steal sensitive information and gaming account information from the compromised machine. It also injects itself into the system running process to hide itself from the user.
The Worm also executes upon every system boot and drops a dll file into %WINDIR%\system32 folder and injects the dll file into the all system running process.
Upon execution, the worm injects itself into the all system running process and connects to the URL below.
When executed the Trojan copies itself into the following location:
- %WINDIR%\system32\revo0.dll
- %WINDIR%\system32\revo1.dll
- %WINDIR%\system32\drivers\klif.sys
- %System drive%\autorun.inf
- %System drive%\hbs.exe
[Removable drive:]\autorun.inf
This Worm also attempts to create an autorun.inf file on the root of any accessible disk volumes.
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
The autorun.inf is configured to launch the worm file via the following command syntax.
;sKKiDke4siara5qa4LL8knwpqJ0Dd1aSilrjaoAoKDdledJ3c5l93j4D3wspUK2kL2w
[AutoRun]
;CDD37ldaSAf2AAs8lJd1okjJrslaqk3aaplrw4Sw4aS5jows53see9lD30ji93d22AOqdr2d5fDJ4
open=hbs.exe
;on0SeAdDskssOkjaroaio44i313DkoD2ZKeDl3qal5Ke0sJsLwj15K7s8jD
shell\open\Command=hbs.exe
;ai4rAKiaqk4foLaDUqwo2saa2s3kqXkj0jkrSq4dasJaK332kofwL1oZwK0jl3diFJlk70na2a54al95p5sdi4wfLDw1p3iw24A0
shell\open\Default=1
;iddo
shell\explore\Command=hbs.exe
;iKLr2da4wia3d9Owip1lakkoSqrkD9isSfKkwkqwi2wFZl0J1l23ard4A1Ja5DkDd54k9la2qaKA7soDs0irKwq022kqeKKfalj8srmdL2Lweejre35Ka
The following registry key values have been added to the system.
- HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\kmmsoft: "%WINDIR%\system32\revo.exe"
- The above mentioned registry ensures that, the Trojan registers itself with the compromised system and executes itself upon every boot.
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KAVsys\Type:1
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KAVsys\ErrorControl:1
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KAVsys\Start:2
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KAVsys\ImagePath:%WINDIR%\system32\drivers\klif.sys
The registry confirms that the Worm also creates service for the dropped file and set the start type as automatic.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDriveTypeAutoRun: 00000091
The above registry confirms that the worm enables the Autorun.
The following registry values have been modified:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
- HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000001
- HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002
- HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000001
- HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000
The above mentioned registry ensures that, the worm hides’ files from the user.
The worm steals online game accounts and passwords by monitoring the following game process:
- Altair(Non-PvP)
- coc.exe
- Ragexe.exe
- Forthgoer
- Arcturus
- Vega(Non-PvP)
- Rigel
- Sirius
- Canopus
- lin.bin
- YPagerj.exe
--------Updated on Sep 05, 2012----------------
Aliases -
Kaspersky - Trojan-GameThief.Win32.Magania.awur
NOD32 - Win32/PSW.OnLineGames.NNU
Symantec - W32.Gammima.AG!gen3
Microsoft - worm:win32/taterf.b
Generic PWS.ak is a Trojan allows unauthorized remote access and control to an affected computer.
Upon execution it tries to connect the below URL and IP address through remote port 80
When executed the Trojan create the following files to the system:
-
%WINDIR%\system32\bgdferw0.dll
-
%WINDIR%\system32\hyrteas0.dll
-
%WINDIR%\system32\oukdfgr.exe
-
%Systemdrive%\autorun.inf
-
%Systemdrive%\lhylec9x.cmd
The following registry Keys have been added.
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\
-
InprocServer32
-
ProgID
-
Programmable
-
VersionIndependentProgID
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}
-
ProxyStubClsid
-
ProxyStubClsid32
-
TypeLib
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0\win32
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\FLAGS
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\HELPDIR
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{GUID}
The following registry values have been added.
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\VersionIndependentProgID\: "IEHlprObj.IEHlprObj"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\ProgID\: "IEHlprObj.IEHlprObj.1"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%WINDIR%\system32\bgdferw0.dll"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Apartment"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\: "IEHlprObj Class"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\: "{GUID}"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\Version: "1.0"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\: "IIEHlprObj"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0\win32\: "%WINDIR%\system32\bgdferw0.dll"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\HELPDIR\: "%WINDIR%\system32\"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\FLAGS\: "0"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\: "IEHelper 1.0 Type Library"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\: "IEHlprObj.IEHlprObj.1"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\: "IEHlprObj Class"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\: "{GUID}"
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\: "IEHlprObj Class"
-
HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\hjdsdse: "%WINDIR%\system32\oukdfgr.exe"
The above mentioned registry ensures that, the Trojan registers itself with the compromised system and executes itself upon every boot.
The following registry values have been modified:
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
-
CheckedValue: 0x00000001
-
CheckedValue: 0x00000000
-
HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
-
Hidden: 0x00000001
-
Hidden: 0x00000002
-
HKEY_USERSS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
The above mentioned registry ensures that, the Trojan hides’ files.
-----Updated on Aug 1st,2012----------------
Aliases -
-
Kaspersky - Trojan-GameThief.Win32.Magania.awuv
-
NOD32 - Win32/PSW.OnLineGames.NMY
-
Ikarus - Trojan-GameThief.Win32.Magania
-
Microsoft - Worm:Win32/Taterf.B
"Generic PWS.ak" is a Trojan allows unauthorized remote access and control to an affected computer. The Trojan attempts to capture and distribute sensitive information to a remote server for collection by an attacker.
Upon execution, the Trojan injects its malicious code into winlogon.exe and connects to the URL ilo.b[Removed]
When executed the Trojan copies itself into the following location:
The following file has been added to the system:
-
%WINDIR%\system32\dsewtds0.dll
-
%SystemDrive%\autorun.inf
-
%WINDIR%\system32\drivers\klif.sys
This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
The autorun.inf is configured to launch the Trojan file via the following command syntax.
The following registry values have been added.
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\%WINDIR%\system32\winlogon.exe: "\??\%WINDIR%\system32\winlogon.exe:*:enabled:@shell32.dll,-1"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\%WINDIR%\system32\winlogon.exe: "\??\%WINDIR%\system32\winlogon.exe:*:enabled:@shell32.dll,-1"
The above registry ensures that the Trojan bypass the normal authentication and to send the information to remote attacker without user knowledge.
- HKEY_USER\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\
“Nhkletd”="%WINDIR%\system32\weidfsg.exe"
The above mentioned registry ensures that, the Trojan registers itself with the compromised system and executes itself upon every boot.
The following registry values have been modified:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
“CheckedValue”=” 0x00000001”
“CheckedValue”=” 0x00000000”
- HKEY_USER\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
“Hidden”=”0x00000001”
“Hidden”=” 0x00000002”
- HKEY_USER\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
“ShowSuperHidden”=” 0x00000001”
“ShowSuperHidden”=”0x00000000”
The above mentioned registry ensures that, the Trojan hides files.
Also the Trojan steals the following information from an affected computer:
- GetComputerNameW
- GetProfileSectionA
---- Updated November 14, 2011 -------------------
Aliases –
- Kaspersky - Trojan-GameThief.Win32.Magania.ebol
- Microsoft - Worm:Win32/Taterf.D
- NOD32 - a variant of Win32/PSW.OnLineGames.PPS
- Symantec - W32.Gammima.AG
"Generic PWS.ak" is the detection for malware that logs user account details for certain online games.
Upon execution, the Trojan copies itself into the following locations and connects to the site "163[removed].com" through remote port 80 to download other malicious files.
- %Temp%\rbking.exe [Hidden]
- %SystemDrive%\skg1.exe [Hidden]
And it drops the following files.
- %Temp%\rbking0.dll [Hidden]
This Trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:
- %SystemDrive%\autorun.inf [Hidden]
All the above files are set with the "hidden", "read-only", and "system" attributes
The autorun.inf is configured to launch the Trojan file via the following command syntax.
- [AutoRun]
- open=skg1.exe
- shell\open\Command=skg1.exe
The following registry values have been added
The above registry entry confirms that, the Trojan executes every time when windows starts
The following registry values have been modified
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
CheckedValue = 0x00000000
-
HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden = 0x00000002
-
HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden = 0x00000000
The above mentioned registry entries confirms that, the Trojan prevents the compromised user to view the hidden files and folders in the system.
The Trojan tries to look for the following processes. If found, it tries to delete or rename it.
- Nod32Kui.exe
- FilMsg.exe
- Twister.exesss
- RavMon.exe
[Note: %SystemDrive% - C:\, %Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp]
-------
---- Updated September 02, 2010 -------------------
File Information
- MD5 - C730AAEF9F6C8AB012FC51F066DB25B4
- SHA - 11D4F28604211641818AB5A6E8A377A8515FCC59
Aliases
-
Kaspersky - Trojan-GameThief.Win32.Magania.cgsz
-
NOD32 - a variant of Win32/Pacex.Gen
-
Ikarus - Worm.Win32.Taterf
-
Microsoft - Worm:Win32/Taterf.B
Generic Pws.ak is a Trojan that steals online game accounts and passwords by monitoring the system.
Upon execution, the Trojan copies itself into the following location.
- %Windir%\system32\olhrwef.exe [Hidden] [Detected as Generic PWS.ak]
- %SystemDrive%\m1rqygb.exe [Hidden] [Detected as Generic PWS.ak]
And drops the following files.
- %Windir%\system32\nmdfgds0.dll [Detected as Generic PWS.ak]
- %Windir%\system32\nmdfgds1.dll [Detected as Generic PWS.ak]
This trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:
- %SystemDrive%\autorun.inf [Hidden]
The autorun.inf is configured to launch the trojan file via the following command syntax.
- [AutoRun]
- open=m1rqygb.exe
- shell\open\Command=m1rqygb.exe
The following registry key has been added to the system.
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys
The fol