Technical Details
This Trojan belongs to the family of Trojans that steals passwords from online gaming user accounts. It is a Windows application (PE EXE file). The file is 126 464 bytes in size. It is packed using ASPack. The unpacked file is approximately 516 KB in size. It is written in C++.
Installation
Once launched, the Trojan copies its original body to the current user's temporary files directory under the following name:
%Temp%\herss.exe
It assigns "Hidden", "Read Only", and "System" attributes to this file. In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry autorun key:[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cdoosoft"="%Temp%\herss.exe"
Payload
Once launched, the Trojan increases its privileges to gain access to other processes. Subject to the presence of a launched "AVP.exe" process, the Trojan extracts a malicious driver from its body, under various names. If "AVP.exe" is not found, it saves the driver under the name:
%System%\drivers\klif.sys
The file is 3840 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.Zapchast.ccf.
If the "AVP.exe" antivirus process is detected, the Trojan rewrites the system driver for Microsoft CD-ROM audio filter:
%System%\drivers\cdaudio.sys
It creates the service called "KAVsys" and uses it to launch the malicious driver. After launching the driver, the Trojan deletes the following registry key:[HKLM\System\CurrentControlSet\Services\KAVsys]
and also deletes the file itself:%System%\drivers\klif.sys
or:%System%\drivers\cdaudio.sys
It searches for a process with the name "livesrv.exe" (BitDefender Security Update Service). After detecting a launched "livesrv.exe" process, the Trojan finds the location of the executable file and moves from this directory to the root directory of the logical C drive all executable files ("exe") and library files ("dll") with their original names, adding the new "vcd" extension, for example:C:\livesrv.exe.vcd
It finds and opens Explorer:%WinDir%\explorer.exe
If the original Trojan file is not located in the local drive's root directory, the malware ceases running. In other cases the Trojan uses Explorer to open the root directory of the local disk where its executable file is located. In order to ensure that its process is unique in the system, the Trojan creates unique identifiers called "Game_start", "DALXBHDFGERTONGOJK_POP", "MN_XADLEBCBAXCSDFGEWQCDDD0", and "KJLDSOIUBGDSEROPOFGSFSIKDQ_MN". The Trojan then extracts a malicious library from its body and saves it under the following name:%Temp%\cvasds<rnd>.dll
where rnd is a decimal number.
The file is 86 016 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dbtv.
It assigns "Hidden", "Read Only", and "System" attributes to this file. In a separate stream, 72 000 times per cycle the Trojan searches for Kaspersky Anti-Virus windows with the class names "AVP.AlertDialog" and "AVP.Product_Notification". The Trojan closes the window with the class name "AVP.AlertDialog" by simulating a mouse click on the dialog window. It closes the window with the class name "AVP.Product_Notification" by sending a close message to this window. It searches for the process:
RavMon.exe
When this process is found in all streams, it searches for windows with the class name "#32770" and attempts to close them. It injects its malicious code into the address space of the process "explorer.exe". This launches for execution the malicious library "cvasds<rnd>.dll". The Trojan's library is injected into all launched applications. The Trojan uses this library to perform the following actions:- It determines the language installed in the system by reading the value of the "InstallLanguage" registry key parameter:
[HKLM\System\CurrentControlSet\Control\Nls\Language] - In order to hide files with "Hidden" and "System" attributes, the Trojan creates the following parameters in the system registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden"=dword:00000002 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "ShowSuperHidden"=dword:00000000 [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue"=dword:00000000 - If "iexplore.exe" is the parent process for this library, every 500 milliseconds the Trojan searches the stream for a window with the class name "IEFrame". If successful, it returns the descriptor of the found window to later process data entered into the browser by the user.
- It enables autorun for applications on removable media, adding the following value for the system registry key parameter:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDriveTypeAutoRun"=dword:00000091 - It creates the following registry keys:
[HKCR\CLSID\MADOWN] "urlinfo"="dswdfre.q" [HKLM\Software\Classes\CLSID\MADOWN] "urlinfo"="dswdfre.q" - It adds a mask to the NOD32 exception list for the domain from which the files are downloaded:
[HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000] "Masks"="*www*|www.16***.com*" - It downloads malware from the following URLs:
http://www.16***u.com/1mg/am.rar http://www.go***ccf.com/1mg/am1.rarThe files are saved in the current user's temporary files directory under the following names, respectively:%Temp%\am.exe %Temp%\am1.exeThe file is 159 232 bytes in size.It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dtyy.The Trojan then opens the file, decrypts the header of the executable file, and launches it for execution. The malware extracts the executable file into the current user's temporary files directory under the name:%Temp%\apiqq.exeThen, in order to ensure that it is launched automatically each time the system is rebooted, it adds a link to the executable file in the system registry autorun key:[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "api32" = "%Temp%\apiqq.exe"It extracts a malicious library from its body, and saves it under one of the following names:%Temp%\apiqq0.dll %Temp%\apiqq1.dllThis file is 98 304 bytes in size.It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.Magania.dtyy. - Once the system is rebooted, the Trojan deletes all interceptors installed in SSDT (System Service Dispatch Table), including antivirus applications.
- It blocks the renewal service for Kaspersky Anti-Virus by modifying the file "PrUpdate.ppl", and also prevents the execution of renewals for the following antiviruses:
ALYac Avast AVG Antivir Guard McAfee Norton Security Suite NOD32 Symantec Spyware Doctor Internet Security Trend Micro Internet Security Virus Chaser - It steals confidential data from user accounts for the following games:
World of Warcraft SilkRoad Online Knight Online CABAL Online Metin2 MapleStory Dofus Guild Wars Aion Dungeon Fighter Online MU Online Seal Online EVE Online - The Trojan sends the collected data to the malicious user's server via the following links:
http://go***6s.com/y2y3/mfg/lin.asp http://go***6s.com/y2y3/mwo/lin.asp http://go***6s.com/y2y3/mqs/lin.asp http://go***6s.com/y2y3/msl/lin.asp http://go***6s.com/y2y3/ohs/lin.asp http://go***6s.com/y2y3/myt/lin.asp http://go***6s.com/y2y3/xfg/lin.asp http://go***6s.com/y2y3/tjt/lin.asp http://go***6s.com/y2y3/odo/lin.asp http://go***6s.com/y2y3/ofg/lin.asp http://go***6s.com/y2y3/dyt/lin.asp http://go***6s.com/y2y3/mjz/lin.asp http://go***6s.com/y2y3/yhz/lin.asp http://go***6s.com/y2y3/mnf/lin.asp http://go***6s.com/y2y3/mmu/lin.asp http://go***6s.com/y2y3/txw/lin.asp http://go***6s.com/y2y3/mev/lin.asp
Propagation
For its subsequent propagation the Trojan copies the following file:
%Temp%\herss.exe
into the root directories of all local drives, network drives, and removable drives, under the name:X:\wyskq6lt.exe
where X is the letter of the disk partition. The Trojan creates the below file to autorun the executable file:X:\autorun.inf
It writes the following strings to this file:[AutoRun]
open=wyskq6lt.exe
shell\open\Command=wyskq6lt.exe
The Trojan assigns "Hidden", "Read Only", and "System" attributes to the created files.Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the following system registry key parameters:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "api32" = "%Temp%\apiqq.exe" "cdoosoft"="%Temp%\herss.exe" - Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Modify the following registry key parameters:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden"=dword:00000002 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "ShowSuperHidden"=dword:00000000 [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue"=dword:00000000 [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000] "Masks"="*www*|www.163*.com*"To[ HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden"=dword:00000001 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "ShowSuperHidden"=dword:00000001 [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue"=dword:00000001 [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDriveTypeAutoRun"=dword:00000255 [HKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000] "Masks"="" - Delete the following registry keys:
[HKCR\CLSID\MADOWN] [HKLM\Software\Classes\CLSID\MADOWN] - Delete the following files:
%Temp%\herss.exe %Temp%\apiqq.exe %Temp%\apiqq0.dll %Temp%\apiqq1.dll %Temp%\am.exe %Temp%\am1.exe X:\wyskq6lt.exe X:\autorun.inf %Temp%\cvasds<rnd>.dllwhere rnd is a decimal number. - Restore antivirus components.
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
Žádné komentáře:
Okomentovat