Virus Profile: Generic PWS.ak

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/4/2008
Date Added: 11/4/2008
Origin: N/A
Length: varies
Type: Trojan
Subtype: Password Stealer
DAT Required: 7359
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection


-------------Updated on Feb 24, 2014--------------------------------

Presence of above mentioned activities

-------------Updated on Jan 25, 2013--------------------------------

The symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.


--------Updated on Sep 05, 2012----------------

 Downloads malicious files

    Writes executable in the windows folder

    Drops malicious files

    Registry modification

    Enumerates running processes

    It deletes the initially executed copy of itself.

    In order to aggravate detection and reduce size of the file it is packed with a runtime packer .

 

 

 

Methods of Infection


-------------Updated on Feb 24, 2014--------------------------------

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

-------------Updated on Jan 25, 2013--------------------------------


This worm may be spread by its intended method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.

--------Updated on Sep 05, 2012----------------

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Aliases

Kaspersky: Trojan-GameThief.Win32.Magania.aozb, Microsoft - TrojanSpy:Win32/Pocar
   

Virus Characteristics

.........Updated on 21th May 2014...........

Aliases

  • Microsoft     -      worm:win32/taterf.b
  • Kaspersky    -    Trojan-GameThief.Win32.Magania.awuv
  • NOD-32       -    Win32/PSW.OnLineGames.NMY
  • Symantec     -    W32.Gammima.AG!gen3
Characteristics –

Generic PWS.ak” is detection for a worm that spreads over USB devices. Worms are self-replicating malicious files that spread from computer to computer by several means but not restricted to USB Autorun functionalities, network shares, e-mail attachments, remote network exploits, among others. The payload may include embedded files that are dropped onto the system, or downloaded later after the initial infection.

Generic PWS.ak” copies itself as forever.exe to the root of all accessible drives. It writes an autorun configuration file named 'autorun.inf' pointing to forever.exe.

Upon execution, the malware will try to spread to all fixed and removable drives as described below. Besides that it will drop a copy of itself in the following location:
  •  [Removable Drive]\dk.exe
  •  [Removable Drive]\AutoRun.inf
This Worm also attempts to create an autorun.inf file on the root of any accessible disk volumes:
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
The autorun.inf is configured to launch the Worm file via the following command syntax.


[AutoRun]
open=dk.exe
;ksmArqlksi25qKk5L7kk7d4lDAwk7fKJqsd40lwdoiSalrwer
shell\open\Command=dk.exe

The Worm drops the following files in the system
  • %Windir%\system32\weidfsg.exe
  • %Windir%\system32dsewtds0.dll
The following registry key value has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run\nhkletd: "%Windir%\\system32\weidfsg.exe"
The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

The following register key values have been modified by worm to make the folders hidden.

  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
  • HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000001
  • HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000
  • HKEY_USERS \S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000001
  • HKEY_USERS \S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002

The above registry confirms that the worm tries to hide itself from the user.

It also uses the links mimicking the hidden folders as a restart mechanism, since every time the user tries to open a folder in Explorer, besides it will execute the malware again.

...................................Updated on 14th March 2014..................................................

“Generic PWS.ak”
is a generic detection for a Trojan that steals sensitive information from the compromised machine and sends it to the remote attacker.

On execution, it drops the below files.
  • %temp%\_MEI39202\bz2.pyd
  • %temp%\_MEI39202\mfc90.dll
  • %temp%\_MEI39202\mfc90u.dll
  • %temp%\_MEI39202\mfcm90.dll
  • %temp%\_MEI39202\mfcm90u.dll
  • %temp%\_MEI39202\msvcm90.dll
  • %temp%\_MEI39202\msvcp90.dll
  • %temp%\_MEI39202\msvcr90.dll
  • %temp%\_MEI39202\python27.dll
  • %temp%\_MEI39202\pythoncom27.dll
  • %temp%\_MEI39202\pywintypes27.dll
  • %temp%\_MEI39202\select.pyd
  • %temp%\_MEI39202\svchost.exe
  • %temp%\_MEI39202\unicodedata.pyd
  • %temp%\_MEI39202\win32api.pyd
  • %temp%\_MEI39202\win32com.shell.shell.pyd
  • %temp%\_MEI39202\win32trace.pyd
  • %temp%\_MEI39202\win32ui.pyd
  • %temp%\_MEI39202\_hashlib.pyd
  • %temp%\_MEI39202\_socket.pyd
  • %temp%\_MEI39202\_ssl.pyd
  • %userprofile%\Start Menu\Programs\Startup\Windows Services.lnk
The following are the folders created on execution.
  • %temp%\tmp9nvhpz
  • %temp%\tmp9nvhpz\gen_py
  • %temp%\_MEI39202
  • %temp%\_MEI39202\include
Upon execution, Trojan connects to the following IP Addresses.   
  • 224.[removed].252
  • 79.[removed].42
  • 239.[removed].250
The following mentioned location ensures that, the Trojan creates the shortcut for exe and execute itself upon every boot.
  • %userprofile%\Start Menu\Programs\Startup\Windows Services.lnk
--------------------------------------------------------------------------------------------------------------

...................................Updated on 24th February 2014..................................................

Aliases:

  • Microsoft          -          worm:win32/taterf.b
  • Symantec        -           Trojan.Packed.NsAnti
  • Ikarus              -           Packed.Win32.Krap

Characteristics –

“ Generic PWS.ak ”
is a detection for a Trojan that downloads other payloads, Once it successfully executes it deletes the source file.

Upon execution the Trojan tries to inject the files in iexplore.exe and it tries to connect  the following URL’s.

  • cd[Removed]3.com

Upon execution the following file has been added to the system.

  • %System32%\revo.exe
  • %System32%\revo0.dll
  • %SystemDrive%\autorun.inf
  • %SystemDrive%\ukmggpy.cmd

The following registry key values have been added to the system.

  • HKEY_USER\S-1-5-[Varies]\ Software\Microsoft\Windows\CurrentVersion\Run\kmmsoft: "%System32%\revo.exe"

The above registry entry makes sure that the malware gets executed on every time when the system startup.

--------------------------------Updated on November 26,2013---------------------------------------

Aliases –

  • Kaspersky    -    Packed.Win32.Krap.g
  • Drweb        -    Trojan.PWS.Wsgame.4983
  • Mirosoft    -    worm:win32/taterf.b


Characteristics –

“W32/Autorun.worm.h” is detection for a worm that spreads over USB devices using Autorun functionality. Worms are self-replicating malicious files that spread from computer to computer by several means but not restricted to USB Autorun functionalities, network shares, e-mail attachments, remote network exploits, among others.

Upon execution the following files have been added to the system.

  • : [RemovableDrive]\2sdsu3.cmd
  • : [RemovableDrive]\autorun.inf
  • %windir%\system32\ierdfgh.exe
  • %windir%\system32\pytdfse0.dll
  • %windir%\system32\revo.exe
  • %windir%\system32\revo0.dll
  • %systemdrive%\2sdsu3.cmd
  • %systemdrive%\autorun.inf
  • windir%\system32\revo0.dll
  • %windir%\system32\pytdfse0.dll


The below memory strings confirms that the Trojan may send information to the remote attacker through http:

  • PlayOnline ID :
  • pol.exe
  • polcore.dll
  • CheckedValue
  • Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
  • ShowSuperHidden
  • Hidden
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • \explorer.exe
  • kxswsoft
  • SoftWare\Microsoft\Windows\CurrentVersion\Run
  • autorun.inf
  • IEFrame
  • explorer.exe
  • iexplore.exe
  • Forthgoer
  • Ragexe.exe
  • Altair(Non-PvP)
  • Arcturus
  • Vega(Non-PvP)
  • Rigel
  • Sirius
  • Canopus
  • lin.bin
  • https://login.yahoo.co.jp/config/login_verify2?.src=ym
  • https://login.yahoo.co.jp/config/login?
  • YahooWidgetEngine.exe
  • YPagerj.exe



Also it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Worm file via the following command syntax.


[AutoRun]
;L2d93A7Sa5jDL4asrfsk4DaqZa4DLks8Kq2wcaw01lD2wqaK4Kaa4362lrfkJf7aAsKA4k3elLjkkwsm3Dk02eidd2
open=2sdsu3.cmd
;s2odlOjedwoKAkDw35KeS32lpkLi408Kr7f8sJw4F05iAknUlikJa0XwK5Cafs2rDjo0iarIil
shell\open\Command=2sdsu3.cmd
mt>S

The following registry keys have been added to the system.

  • HKey_LocalMachine\SOFTWARE\Microsoft\DownloadManager


The following registry key values have been added to the system.

  • HKey_Users\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Run\kxswsoft: "%windir%\system32\ierdfgh.exe"


The above mentioned registry ensures that, the Worm registers run entry with the compromised system and execute itself upon every boot.

The following are the registry key values modified to the system


  • HKey_Localmachine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
  • HKey_Localmachine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
  • HKey_Users\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000001
  • HKey_Users\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002
  • HKey_Users\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000001
  • HKey_Users\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000


The above registry ensures that, the worm hide’s files and file extensions


------------------------------------------------------------------------------------------------------------------


-------Updated on September 17, 2013--------------

File Property

Back to Top


Back To Overview View Removal Instructions
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95