For Consumer

Virus Profile: Generic PWS.gn

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/28/2010
Date Added: 2/28/2010
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Password Stealer
DAT Required: 5906
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases -

Microsoft - Worm:Win32/Taterf.gen!E
Quickheal - TrojanGameThief.Magania.cysk
Kaspersky - Trojan-GameThief.Win32.Magania.cysk
Symantec - W32.Gammima.AG

Indication of Infection

These symptoms of this detection are the files and registry referenced in the characteristics section.

Methods of Infection


Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
   

Virus Characteristics

Generic PWS.GN” is a Trojan that spreads by copying itself to removable drives in order to steal login and account details for popular online games.

Upon execution the Trojan tries to connect the below URL through remote port 53

www.yah[Removed]3.com

The Trojan copies of itself into the below location

  • %Temp%\4tddfwq0.dll
  • %Temp%\xvassdf.exe
  • %Systemdrive%\dsb0.exe
  • : [RemovableDrive]\dsb0.exe
  • : [RemovableDrive]\autorun.inf
  • %Systemdrive%\autorun.inf

And drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Trojan file via the following command syntax.

[AutoRun]
open=dsb0.exe
shell\open\Command=dsb0.exe

The following registry values have been added to the system.

HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\54dfsger: " %Temp% \xvassdf.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

The following registry values have been modified to the system

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
CheckedValue: 0x00000001
CheckedValue: 0x00000000

HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0x00000001
Hidden: 0x00000002

HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0x00000001
ShowSuperHidden: 0x00000000

The above mentioned registry ensures that, the Trojan hides’ files.

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).