Les informations contenues dans cette rubrique de notre site web sont constamment mises à jour. Afin de vous garantir un contenu le plus actualisé possible, elles sont uniquement diffusées en anglais.

Virus Profile: Generic PWS.ak

Threat Search
Imprimer
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 04/11/2008
Date Added: 04/11/2008
Origin: N/A
Length: VARIES
Type: Trojan
Subtype: N/A
DAT Required: 5424
Removal Instructions
   
 
 
   

Description

Trojan that spreads manually under beneficial prospects, involves security and system exploitation executing unknown programs.
Transfers by a lot so means from peer networking to email etc. No own spreading routine

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Indication of Infection

    Downloads malicious files

    Writes executable in the windows folder

    Drops malicious files

    Registry modification

    Enumerates running processes

    It deletes the initially executed copy of itself.

    In order to aggravate detection and reduce size of the file it is packed with a runtime packer .

 

 

Methods of Infection

Aliases

• F-Secure: Trojan-GameThief.Win32.Magania.aozb, Kaspersky: Trojan-GameThief.Win32.Magania.aozb
   

Virus Characteristics

   

   

 

%SYSDIR%\tavo.exe (saves in this location)

The following files are created:
– %SYSDIR%\drivers\klif.sys (Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Onlinegames2)
– %SYSDIR%\tavo0.dll (Further investigation pointed out that this file is malware, too. Detected as: TR/DLL.Onlinegames.B )

It tries to download some files:
– The location is the following: 
   http://adeui.com/**********/ff.exe

It is saved on the local hard drive under: %TEMPDIR%\ff.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP

– The location is the following: 
   http://adeui.com/**********/cc.exe

It is saved on the local hard drive under: %TEMPDIR%\cc.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Onlinegames.CP

Registry The following registry key is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 
   • tava="%SYSDIR%\tavo.exe"

In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

File details Programming language:
The malware program was written in MS Visual C++.

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

   

Un ordinateur infecté ? Obtenez l'aide d'un expert !

McAfee
Service de suppression des virus

Contactez l'un de nos spécialistes en sécurité par téléphone. Regardez votre PC pendant que nous résolvons le problème à distance.

$89.95 (USD)

Publicité