Removal Instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Stop running the "BITS" service.
  2. Delete the following file:
    %Documents and Settings%\QQCRT.DLL

  3. Restore the "ServiceDll" parameter value for the system registry key:
    "ServiceDll"="%Documents and Settings%\QQCRT.DLL"

    change to
    "ServiceDll" = "%SystemRoot%\System32\qmgr.dll"

  4. Restore the "BITS" service.
  5. Delete the following files:
    C:\Program Files\QQ.EXE
    %Documents and Settings%\%Current User%\Main menu\X.exe

  6. Rename the file:
    C: \Program Files\Garss.exe


  7. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

MD5: b8ae1e3ce04afa9d7aa1752b9e93641b
SHA1: 03af00527ff7710b978ed32a81250d29fcbeead2


After launching, the trojan searches for the launched process named:


If this process has been launched, the trojan terminates its implementation. The trojan then retrieves the file saved in the temporary file directory under the following name from its body:

where rnd is a random digital sequence. It then moves this file and saves it under the following name:
%Documents and Settings%\QQCRT.DLL

The file is 22154588 bytes and is detected by Kaspersky Antivirus as Trojan-GameThief.Win32.Magania.erpe. The trojan also moves the system file:

C: \Program Files\Garss.exe

Then, using the command line, it launches the malicious library for execution:
C:\Program Files\Garss.exe "C:\Documents and Settings\QQCRT.DLL" Main

To start up the malicious library, the trojan modifies the "BITS" system service. The trojan therefore creates and launches a system registry file under the following name:

after which the following information is added to the system registry:
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
"DisplayName"="Background Intelligent Transfer Service (BITS)"
"Description"="Ensures the transfer of data between clients and severs in the background. If the BITS service is disabled, options such as Windows Update will not work properly."
[HKLM\System\CurrentControlSet\Services\BITS\Parameters] "ServiceDll"="%Documents and Settings%\QQCRT.DLL"

After launching, the "1.reg" file is deleted. The trojan also searches for the following antivirus processes:

and runs active resistance to anti-virus applications in separate strings. The trojan may also copy its executable file under the following name:
C:\Program Files\QQ.EXE

It creates a file entitled:

which may also be moved by the trojan and saved under the following name:
%Documents and Settings%\%Current User%\Main menu\X.exe

The file is 36752 bytes. The trojan uses this file to launch the malicious library. It retrieves the following certificate from its body and installs this:
%WinDir%\Windows.cer – which is 590 bytes.

After its implementation, the trojan deletes itself.

Technical Details

A trojan program that installs and launches other software on the infected computer without the user's knowledge. It is a Windows application (PE-EXE file). 231124 bytes. Written in C++.