Trojan-GameThief.Win32.Magania.dbtv

Technical Details

This Trojan belongs to the family of Trojans that steals passwords from online gaming user accounts. It is a Windows application (PE EXE file). The file is 126 464 bytes in size. It is packed using ASPack. The unpacked file is approximately 516 KB in size. It is written in C++.


Installation


Once launched, the Trojan copies its original body to the current user's temporary files directory under the following name:

%Temp%\herss.exe

It assigns "Hidden", "Read Only", and "System" attributes to this file. In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cdoosoft"="%Temp%\herss.exe"

Payload

Once launched, the Trojan increases its privileges to gain access to other processes. Subject to the presence of a launched "AVP.exe" process, the Trojan extracts a malicious driver from its body, under various names. If "AVP.exe" is not found, it saves the driver under the name:

%System%\drivers\klif.sys

The file is 3840 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.Zapchast.ccf.


If the "AVP.exe" antivirus process is detected, the Trojan rewrites the system driver for Microsoft CD-ROM audio filter:

%System%\drivers\cdaudio.sys

It creates the service called "KAVsys" and uses it to launch the malicious driver. After launching the driver, the Trojan deletes the following registry key:
[HKLM\System\CurrentControlSet\Services\KAVsys]

and also deletes the file itself:
%System%\drivers\klif.sys
or:
%System%\drivers\cdaudio.sys

It searches for a process with the name "livesrv.exe" (BitDefender Security Update Service). After detecting a launched "livesrv.exe" process, the Trojan finds the location of the executable file and moves from this directory to the root directory of the logical C drive all executable files ("exe") and library files ("dll") with their original names, adding the new "vcd" extension, for example:
C:\livesrv.exe.vcd

It finds and opens Explorer:
%WinDir%\explorer.exe

If the original Trojan file is not located in the local drive's root directory, the malware ceases running. In other cases the Trojan uses Explorer to open the root directory of the local disk where its executable file is located. In order to ensure that its process is unique in the system, the Trojan creates unique identifiers called "Game_start", "DALXBHDFGERTONGOJK_POP", "MN_XADLEBCBAXCSDFGEWQCDDD0", and "KJLDSOIUBGDSEROPOFGSFSIKDQ_MN". The Trojan then extracts a malicious library from its body and saves it under the following name:
%Temp%\cvasds<rnd>.dll

where rnd is a decimal number.


The file is 86 016 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dbtv.


It assigns "Hidden", "Read Only", and "System" attributes to this file. In a separate stream, 72 000 times per cycle the Trojan searches for Kaspersky Anti-Virus windows with the class names "AVP.AlertDialog" and "AVP.Product_Notification". The Trojan closes the window with the class name "AVP.AlertDialog" by simulating a mouse click on the dialog window. It closes the window with the class name "AVP.Product_Notification" by sending a close message to this window. It searches for the process:

RavMon.exe

When this process is found in all streams, it searches for windows with the class name "#32770" and attempts to close them. It injects its malicious code into the address space of the process "explorer.exe". This launches for execution the malicious library "cvasds<rnd>.dll". The Trojan's library is injected into all launched applications. The Trojan uses this library to perform the following actions:
  • It determines the language installed in the system by reading the value of the "InstallLanguage" registry key parameter:
    [HKLM\System\CurrentControlSet\Control\Nls\Language]

  • In order to hide files with "Hidden" and "System" attributes, the Trojan creates the following parameters in the system registry keys:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden"=dword:00000002
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ShowSuperHidden"=dword:00000000
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue"=dword:00000000
    

  • If "iexplore.exe" is the parent process for this library, every 500 milliseconds the Trojan searches the stream for a window with the class name "IEFrame". If successful, it returns the descriptor of the found window to later process data entered into the browser by the user.
  • It enables autorun for applications on removable media, adding the following value for the system registry key parameter:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    

  • It creates the following registry keys:
    [HKCR\CLSID\MADOWN]
    "urlinfo"="dswdfre.q"
    [HKLM\Software\Classes\CLSID\MADOWN] "urlinfo"="dswdfre.q"

  • It adds a mask to the NOD32 exception list for the domain from which the files are downloaded:
    [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
    "Masks"="*www*|www.16***.com*"
    

  • It downloads malware from the following URLs:
    http://www.16***u.com/1mg/am.rar
    http://www.go***ccf.com/1mg/am1.rar

    The files are saved in the current user's temporary files directory under the following names, respectively:
    %Temp%\am.exe
    %Temp%\am1.exe
    

    The file is 159 232 bytes in size.It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dtyy.


    The Trojan then opens the file, decrypts the header of the executable file, and launches it for execution. The malware extracts the executable file into the current user's temporary files directory under the name:

    %Temp%\apiqq.exe

    Then, in order to ensure that it is launched automatically each time the system is rebooted, it adds a link to the executable file in the system registry autorun key:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "api32" = "%Temp%\apiqq.exe"
    

    It extracts a malicious library from its body, and saves it under one of the following names:
    %Temp%\apiqq0.dll 
    %Temp%\apiqq1.dll
    

    This file is 98 304 bytes in size.It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dtyy.
  • Once the system is rebooted, the Trojan deletes all interceptors installed in SSDT (System Service Dispatch Table), including antivirus applications.
  • It blocks the renewal service for Kaspersky Anti-Virus by modifying the file "PrUpdate.ppl", and also prevents the execution of renewals for the following antiviruses:
    ALYac
    Avast
    AVG
    Antivir Guard
    McAfee 
    Norton Security Suite
    NOD32
    Symantec 
    Spyware Doctor Internet Security
    Trend Micro Internet Security
    Virus Chaser
    

  • It steals confidential data from user accounts for the following games:
    World of Warcraft
    SilkRoad Online
    Knight Online
    CABAL Online
    Metin2
    MapleStory
    Dofus
    Guild Wars
    Aion
    Dungeon Fighter Online
    MU Online
    Seal Online
    EVE Online
    

  • The Trojan sends the collected data to the malicious user's server via the following links:
    http://go***6s.com/y2y3/mfg/lin.asp
    http://go***6s.com/y2y3/mwo/lin.asp
    http://go***6s.com/y2y3/mqs/lin.asp
    http://go***6s.com/y2y3/msl/lin.asp
    http://go***6s.com/y2y3/ohs/lin.asp
    http://go***6s.com/y2y3/myt/lin.asp
    http://go***6s.com/y2y3/xfg/lin.asp
    http://go***6s.com/y2y3/tjt/lin.asp
    http://go***6s.com/y2y3/odo/lin.asp
    http://go***6s.com/y2y3/ofg/lin.asp
    http://go***6s.com/y2y3/dyt/lin.asp
    http://go***6s.com/y2y3/mjz/lin.asp
    http://go***6s.com/y2y3/yhz/lin.asp
    http://go***6s.com/y2y3/mnf/lin.asp
    http://go***6s.com/y2y3/mmu/lin.asp
    http://go***6s.com/y2y3/txw/lin.asp
    http://go***6s.com/y2y3/mev/lin.asp
    


Propagation


For its subsequent propagation the Trojan copies the following file:

%Temp%\herss.exe

into the root directories of all local drives, network drives, and removable drives, under the name:
X:\wyskq6lt.exe

where X is the letter of the disk partition. The Trojan creates the below file to autorun the executable file:
X:\autorun.inf

It writes the following strings to this file:
[AutoRun]
open=wyskq6lt.exe
shell\open\Command=wyskq6lt.exe
The Trojan assigns "Hidden", "Read Only", and "System" attributes to the created files.

Removal Instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the following system registry key parameters:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "api32" = "%Temp%\apiqq.exe"
    "cdoosoft"="%Temp%\herss.exe"
    

  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Modify the following registry key parameters:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden"=dword:00000002
     [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ShowSuperHidden"=dword:00000000
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue"=dword:00000000
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
    "Masks"="*www*|www.163*.com*"

    To
    [
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden"=dword:00000001
     [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ShowSuperHidden"=dword:00000001
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue"=dword:00000001
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoDriveTypeAutoRun"=dword:00000255
    [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
    "Masks"=""
    

  4. Delete the following registry keys:
    [HKCR\CLSID\MADOWN]
    [HKLM\Software\Classes\CLSID\MADOWN]
    

  5. Delete the following files:
    %Temp%\herss.exe
    %Temp%\apiqq.exe
    %Temp%\apiqq0.dll 
    %Temp%\apiqq1.dll
    %Temp%\am.exe
    %Temp%\am1.exe
    X:\wyskq6lt.exe
    X:\autorun.inf
    %Temp%\cvasds<rnd>.dll
    
    where rnd is a decimal number.
  6. Restore antivirus components.
  7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

[MD5: b06f47faeba87fe46cde3dfcfc7e3fa7]
[SHA1: 0ef51ea12b22cb78ce0d037baafddfa830d17606]