For Consumer

Virus Profile: Generic PWS.ak

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/4/2008
Date Added: 11/4/2008
Origin: N/A
Length: varies
Type: Trojan
Subtype: Password Stealer
DAT Required: 7359
Removal Instructions


This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

-------------Updated on Feb 24, 2014--------------------------------

Presence of above mentioned activities

-------------Updated on Jan 25, 2013--------------------------------

The symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

--------Updated on Sep 05, 2012----------------

 Downloads malicious files

    Writes executable in the windows folder

    Drops malicious files

    Registry modification

    Enumerates running processes

    It deletes the initially executed copy of itself.

    In order to aggravate detection and reduce size of the file it is packed with a runtime packer .




Methods of Infection

-------------Updated on Feb 24, 2014--------------------------------

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

-------------Updated on Jan 25, 2013--------------------------------

This worm may be spread by its intended method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.

--------Updated on Sep 05, 2012----------------

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.


Kaspersky: Trojan-GameThief.Win32.Magania.aozb, Microsoft - TrojanSpy:Win32/Pocar

Virus Characteristics

...................................Updated on 14th March 2014..................................................

“Generic PWS.ak”
is a generic detection for a Trojan that steals sensitive information from the compromised machine and sends it to the remote attacker.

On execution, it drops the below files.
  • %temp%\_MEI39202\bz2.pyd
  • %temp%\_MEI39202\mfc90.dll
  • %temp%\_MEI39202\mfc90u.dll
  • %temp%\_MEI39202\mfcm90.dll
  • %temp%\_MEI39202\mfcm90u.dll
  • %temp%\_MEI39202\msvcm90.dll
  • %temp%\_MEI39202\msvcp90.dll
  • %temp%\_MEI39202\msvcr90.dll
  • %temp%\_MEI39202\python27.dll
  • %temp%\_MEI39202\pythoncom27.dll
  • %temp%\_MEI39202\pywintypes27.dll
  • %temp%\_MEI39202\select.pyd
  • %temp%\_MEI39202\svchost.exe
  • %temp%\_MEI39202\unicodedata.pyd
  • %temp%\_MEI39202\win32api.pyd
  • %temp%\_MEI39202\
  • %temp%\_MEI39202\win32trace.pyd
  • %temp%\_MEI39202\win32ui.pyd
  • %temp%\_MEI39202\_hashlib.pyd
  • %temp%\_MEI39202\_socket.pyd
  • %temp%\_MEI39202\_ssl.pyd
  • %userprofile%\Start Menu\Programs\Startup\Windows Services.lnk
The following are the folders created on execution.
  • %temp%\tmp9nvhpz
  • %temp%\tmp9nvhpz\gen_py
  • %temp%\_MEI39202
  • %temp%\_MEI39202\include
Upon execution, Trojan connects to the following IP Addresses.   
  • 224.[removed].252
  • 79.[removed].42
  • 239.[removed].250
The following mentioned location ensures that, the Trojan creates the shortcut for exe and execute itself upon every boot.
  • %userprofile%\Start Menu\Programs\Startup\Windows Services.lnk

...................................Updated on 24th February 2014..................................................


  • Microsoft          -          worm:win32/taterf.b
  • Symantec        -           Trojan.Packed.NsAnti
  • Ikarus              -           Packed.Win32.Krap

Characteristics –

“ Generic PWS.ak ”
is a detection for a Trojan that downloads other payloads, Once it successfully executes it deletes the source file.

Upon execution the Trojan tries to inject the files in iexplore.exe and it tries to connect  the following URL’s.

  • cd[Removed]

Upon execution the following file has been added to the system.

  • %System32%\revo.exe
  • %System32%\revo0.dll
  • %SystemDrive%\autorun.inf
  • %SystemDrive%\ukmggpy.cmd

The following registry key values have been added to the system.

  • HKEY_USER\S-1-5-[Varies]\ Software\Microsoft\Windows\CurrentVersion\Run\kmmsoft: "%System32%\revo.exe"

The above registry entry makes sure that the malware gets executed on every time when the system startup.

--------------------------------Updated on November 26,2013---------------------------------------

Aliases –

  • Kaspersky    -    Packed.Win32.Krap.g
  • Drweb        -    Trojan.PWS.Wsgame.4983
  • Mirosoft    -    worm:win32/taterf.b

Characteristics –

“W32/Autorun.worm.h” is detection for a worm that spreads over USB devices using Autorun functionality. Worms are self-replicating malicious files that spread from computer to computer by several means but not restricted to USB Autorun functionalities, network shares, e-mail attachments, remote network exploits, among others.

Upon execution the following files have been added to the system.

  • : [RemovableDrive]\2sdsu3.cmd
  • : [RemovableDrive]\autorun.inf
  • %windir%\system32\ierdfgh.exe
  • %windir%\system32\pytdfse0.dll
  • %windir%\system32\revo.exe
  • %windir%\system32\revo0.dll
  • %systemdrive%\2sdsu3.cmd
  • %systemdrive%\autorun.inf
  • windir%\system32\revo0.dll
  • %windir%\system32\pytdfse0.dll

The below memory strings confirms that the Trojan may send information to the remote attacker through http:

  • PlayOnline ID :
  • pol.exe
  • polcore.dll
  • CheckedValue
  • Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
  • ShowSuperHidden
  • Hidden
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • \explorer.exe
  • kxswsoft
  • SoftWare\Microsoft\Windows\CurrentVersion\Run
  • autorun.inf
  • IEFrame
  • explorer.exe
  • iexplore.exe
  • Forthgoer
  • Ragexe.exe
  • Altair(Non-PvP)
  • Arcturus
  • Vega(Non-PvP)
  • Rigel
  • Sirius
  • Canopus
  • lin.bin
  • YahooWidgetEngine.exe
  • YPagerj.exe

Also it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Worm file via the following command syntax.


The following registry keys have been added to the system.

  • HKey_LocalMachine\SOFTWARE\Microsoft\DownloadManager

The following registry key values have been added to the system.

  • HKey_Users\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Run\kxswsoft: "%windir%\system32\ierdfgh.exe"

The above mentioned registry ensures that, the Worm registers run entry with the compromised system and execute itself upon every boot.

The following are the registry key values modified to the system

  • HKey_Localmachine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
  • HKey_Localmachine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
  • HKey_Users\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000001
  • HKey_Users\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002
  • HKey_Users\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000001
  • HKey_Users\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000

The above registry ensures that, the worm hide’s files and file extensions


-------Updated on September 17, 2013--------------

File Property

Property Value



McAfee Artemis


McAfee Detection

Generic PWS.ak


116496 bytes

Back to Top

Back To Overview View Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).