For Home

Virus Profile: Generic PWS.ak

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/4/2008
Date Added: 11/4/2008
Origin: N/A
Length: varies
Type: Trojan
Subtype: Password Stealer
DAT Required: 6846
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

-------------Updated on Jan 25, 2013--------------------------------

The symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.


--------Updated on Sep 05, 2012----------------

 Downloads malicious files

    Writes executable in the windows folder

    Drops malicious files

    Registry modification

    Enumerates running processes

    It deletes the initially executed copy of itself.

    In order to aggravate detection and reduce size of the file it is packed with a runtime packer .

 

 

 

Methods of Infection

-------------Updated on Jan 25, 2013--------------------------------

This worm may be spread by its intended method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.

--------Updated on Sep 05, 2012----------------

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Aliases

Kaspersky: Trojan-GameThief.Win32.Magania.aozb
   

Virus Characteristics

-------Updated on jun 8, 2013--------------

Aliases -

  • Kaspersky    -    Trojan-GameThief.Win32.Magania.cbdy
  • Microsoft    -    worm:win32/taterf.b
  • Symantec    -    W32.Gammima
  • Nod32        -    Win32/Pacex.Gen

Characteristics –

Generic PWS.ak is a worm spread via removable drives and mapped system drives in order to steal sensitive information and gaming account information from the compromised machine. It also injects itself into the system running process to hide itself from the user.

The Worm also executes upon every system boot and drops a dll file into %WINDIR%\system32 folder and injects the dll file into the all system running process.

When executed the Trojan copies itself into the following location:

  • %System drive%\autorun.inf
  • %System drive%\tv1nlbfg.exe
  • [Removable drive:]\autorun.inf
  • [Removable drive:]\ tv1nlbfg.exe
  • %Temp%\4tddfwq1.dll
  • %Temp%\xvassdf.exe

This Worm also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the worm file via the following command syntax.

[AutoRun]
open=tv1nlbfg.exe
shell\open\Command=tv1nlbfg.exe

The following registry key values have been added to the system.

  • HKEY_USERS\S-1-5-21[Varies] \Software\Microsoft\Windows\CurrentVersion\Run\54dfsger: "%Temp%\xvassdf.exe"


The above registry key ensures that the Worm executes itself upon system boot.

The following registry values have been modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000001
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000001
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000

The above mentioned registry ensures that, the worm hides’ files itself from the user.

-------------------------------------------------------------------------------------------------------

-------Updated on Jan 25, 2013--------------

Aliases -

  • Kaspersky    -    Packed.Win32.Krap.b
  • Microsoft    -    worm:win32/taterf.b
  • Symantec    -    Trojan.Packed.NsAnti
  • Nod32        -    Win32/Pacex.Gen virus (variant)

Characteristics –

"Generic PWS.ak" is a worm spread via removable drives and mapped system drives in order to steal sensitive information and gaming account information from the compromised machine. It also injects itself into the system running process to hide itself from the user.
The Worm also executes upon every system boot and drops a dll file into %WINDIR%\system32 folder and injects the dll file into the all system running process.

Upon execution, the worm injects itself into the all system running process and connects to the URL below.

  • Cd[Removed]3.com

When executed the Trojan copies itself into the following location:

  • %WINDIR%\system32\revo0.dll
  • %WINDIR%\system32\revo1.dll
  • %WINDIR%\system32\drivers\klif.sys
  • %System drive%\autorun.inf
  • %System drive%\hbs.exe

[Removable drive:]\autorun.inf

This Worm also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the worm file via the following command syntax.

;sKKiDke4siara5qa4LL8knwpqJ0Dd1aSilrjaoAoKDdledJ3c5l93j4D3wspUK2kL2w
[AutoRun]
;CDD37ldaSAf2AAs8lJd1okjJrslaqk3aaplrw4Sw4aS5jows53see9lD30ji93d22AOqdr2d5fDJ4
open=hbs.exe
;on0SeAdDskssOkjaroaio44i313DkoD2ZKeDl3qal5Ke0sJsLwj15K7s8jD
shell\open\Command=hbs.exe
;ai4rAKiaqk4foLaDUqwo2saa2s3kqXkj0jkrSq4dasJaK332kofwL1oZwK0jl3diFJlk70na2a54al95p5sdi4wfLDw1p3iw24A0
shell\open\Default=1
;iddo
shell\explore\Command=hbs.exe
;iKLr2da4wia3d9Owip1lakkoSqrkD9isSfKkwkqwi2wFZl0J1l23ard4A1Ja5DkDd54k9la2qaKA7soDs0irKwq022kqeKKfalj8srmdL2Lweejre35Ka

The following registry key values have been added to the system.

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\kmmsoft: "%WINDIR%\system32\revo.exe"
  • The above mentioned registry ensures that, the Trojan registers itself with the compromised system and executes itself upon every boot.
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KAVsys\Type:1
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KAVsys\ErrorControl:1
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KAVsys\Start:2
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KAVsys\ImagePath:%WINDIR%\system32\drivers\klif.sys

The registry confirms that the Worm also creates service for the dropped file and set the start type as automatic.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDriveTypeAutoRun: 00000091

The above registry confirms that the worm enables the Autorun.

The following registry values have been modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000001
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000001
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000

The above mentioned registry ensures that, the worm hides’ files from the user.
The worm steals online game accounts and passwords by monitoring the following game process:

  • Altair(Non-PvP)
  • coc.exe
  • Ragexe.exe
  • Forthgoer
  • Arcturus
  • Vega(Non-PvP)
  • Rigel
  • Sirius
  • Canopus
  • lin.bin
  • YPagerj.exe

 

 --------Updated on Sep 05, 2012----------------

Aliases -

Kaspersky  -  Trojan-GameThief.Win32.Magania.awur
NOD32 -  Win32/PSW.OnLineGames.NNU
Symantec -  W32.Gammima.AG!gen3
Microsoft  -  worm:win32/taterf.b

Generic PWS.ak is a Trojan allows unauthorized remote access and control to an affected computer.

Upon execution it tries to connect the below URL and IP address through remote port 80

  • Nh[Removed]1.com/hg2/ll.rar 
  • 69.[Removed].161.152 
  • 141.[Removed].224.79
  • 141.[Removed].224.25
  • 74.[Removed].31.154

When executed the Trojan create the following files to the system:

  • %WINDIR%\system32\bgdferw0.dll
  • %WINDIR%\system32\hyrteas0.dll
  • %WINDIR%\system32\oukdfgr.exe
  • %Systemdrive%\autorun.inf
  • %Systemdrive%\lhylec9x.cmd

The following registry Keys have been added.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\
    • InprocServer32
    • ProgID
    • Programmable
    • VersionIndependentProgID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}
    • ProxyStubClsid
    • ProxyStubClsid32
    • TypeLib
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0\win32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\FLAGS
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\HELPDIR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{GUID}

The following registry values have been added.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\VersionIndependentProgID\: "IEHlprObj.IEHlprObj"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\ProgID\: "IEHlprObj.IEHlprObj.1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%WINDIR%\system32\bgdferw0.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\: "IEHlprObj Class"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\Version: "1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\: "IIEHlprObj"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0\win32\: "%WINDIR%\system32\bgdferw0.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\HELPDIR\: "%WINDIR%\system32\"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\FLAGS\: "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\: "IEHelper 1.0 Type Library"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\: "IEHlprObj.IEHlprObj.1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\: "IEHlprObj Class"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\: "IEHlprObj Class"
  • HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\hjdsdse: "%WINDIR%\system32\oukdfgr.exe"

The above mentioned registry ensures that, the Trojan registers itself with the compromised system and executes itself upon every boot.

The following registry values have been modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
    • CheckedValue: 0x00000001
    • CheckedValue: 0x00000000
  • HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    • Hidden: 0x00000001
    • Hidden: 0x00000002
  • HKEY_USERSS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    • ShowSuperHidden: 0x00000001
    • ShowSuperHidden: 0x00000000

The above mentioned registry ensures that, the Trojan hides’ files.

-----Updated on Aug 1st,2012----------------

Aliases -

  • Kaspersky - Trojan-GameThief.Win32.Magania.awuv
  • NOD32     - Win32/PSW.OnLineGames.NMY
  • Ikarus        - Trojan-GameThief.Win32.Magania
  • Microsoft   - Worm:Win32/Taterf.B

"Generic PWS.ak" is a Trojan allows unauthorized remote access and control to an affected computer. The Trojan attempts to capture and distribute sensitive information to a remote server for collection by an attacker.

Upon execution, the Trojan injects its malicious code into winlogon.exe and connects to the URL ilo.b[Removed]

  • z.pl/114.112.[Removed].81 through a remote port 80.

When executed the Trojan copies itself into the following location:

  •  %SystemDrive%\dk.exe
  •  %WINDIR%\system32\weidfsg.exe

The following file has been added to the system:

  •  %WINDIR%\system32\dsewtds0.dll
  •  %SystemDrive%\autorun.inf
  •  %WINDIR%\system32\drivers\klif.sys

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Trojan file via the following command syntax.

  • [AutoRun]
  • open=dk.exe
  • ;ksmArqlksi25qKk5L7kk7d4lDAwk7fKJqsd40lwdoiSalrwer
  • shell\open\Command=dk.exe.

The following registry values have been added.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\%WINDIR%\system32\winlogon.exe: "\??\%WINDIR%\system32\winlogon.exe:*:enabled:@shell32.dll,-1"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\%WINDIR%\system32\winlogon.exe: "\??\%WINDIR%\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

The above registry ensures that the Trojan bypass the normal authentication and to send the information to remote attacker without user knowledge.

  • HKEY_USER\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\
    “Nhkletd”="%WINDIR%\system32\weidfsg.exe"

The above mentioned registry ensures that, the Trojan registers itself with the compromised system and executes itself upon every boot.

The following registry values have been modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
    “CheckedValue”=” 0x00000001”
    “CheckedValue”=” 0x00000000”
  • HKEY_USER\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    “Hidden”=”0x00000001”
    “Hidden”=” 0x00000002”
  • HKEY_USER\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    “ShowSuperHidden”=” 0x00000001”
    “ShowSuperHidden”=”0x00000000”

The above mentioned registry ensures that, the Trojan hides files.

Also the Trojan steals the following information from an affected computer:

  • GetComputerNameW
  • GetProfileSectionA

----   Updated November 14, 2011 -------------------

Aliases –

    • Kaspersky - Trojan-GameThief.Win32.Magania.ebol
    • Microsoft - Worm:Win32/Taterf.D
    • NOD32 - a variant of Win32/PSW.OnLineGames.PPS
    • Symantec - W32.Gammima.AG

"Generic PWS.ak" is the detection for malware that logs user account details for certain online games.

Upon execution, the Trojan copies itself into the following locations and connects to the site "163[removed].com" through remote port 80 to download other malicious files.
    • %Temp%\rbking.exe [Hidden]
    • %SystemDrive%\skg1.exe [Hidden]

And it drops the following files.
    • %Temp%\rbking0.dll [Hidden]

This Trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:

    • %SystemDrive%\autorun.inf [Hidden]

All the above files are set with the "hidden", "read-only", and "system" attributes

The autorun.inf is configured to launch the Trojan file via the following command syntax.

    • [AutoRun]
    • open=skg1.exe
    • shell\open\Command=skg1.exe

The following registry values have been added
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
      king_rb = "%Temp%\rbking.exe"

The above registry entry confirms that, the Trojan executes every time when windows starts

The following registry values have been modified
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
      CheckedValue = 0x00000000
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
      Hidden = 0x00000002
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
      ShowSuperHidden = 0x00000000

The above mentioned registry entries confirms that, the Trojan prevents the compromised user to view the hidden files and folders in the system.

The Trojan tries to look for the following processes. If found, it tries to delete or rename it.

    • Nod32Kui.exe
    • FilMsg.exe
    • Twister.exesss
    • RavMon.exe

[Note: %SystemDrive% - C:\, %Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp]

-------

----   Updated September 02, 2010 -------------------

 File Information

    • MD5  -  C730AAEF9F6C8AB012FC51F066DB25B4
    • SHA  - 11D4F28604211641818AB5A6E8A377A8515FCC59

Aliases

    • Kaspersky   - Trojan-GameThief.Win32.Magania.cgsz
    • NOD32      - a variant of Win32/Pacex.Gen
    • Ikarus         - Worm.Win32.Taterf
    • Microsoft   - Worm:Win32/Taterf.B

Generic Pws.ak is a Trojan that steals online game accounts and passwords by monitoring the system.

Upon execution, the Trojan copies itself into the following location.

    • %Windir%\system32\olhrwef.exe [Hidden] [Detected as Generic PWS.ak]
    • %SystemDrive%\m1rqygb.exe [Hidden] [Detected as Generic PWS.ak]

And drops the following files.

    • %Windir%\system32\nmdfgds0.dll [Detected as Generic PWS.ak]
    • %Windir%\system32\nmdfgds1.dll [Detected as Generic PWS.ak]

This trojan also attempts to create an autorun.inf file on the root any accessible disk volumes:

    • %SystemDrive%\autorun.inf [Hidden]

The autorun.inf is configured to launch the trojan file via the following command syntax.

    • [AutoRun]
    • open=m1rqygb.exe
    • shell\open\Command=m1rqygb.exe

The following registry key has been added to the system.

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVPsys
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys

The fol

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).