Win32/PSW.Gamania [Threat Name] go to Threat

Win32/PSW.Gamania.NFA [Threat Variant Name]

Category trojan
Size 104524 B
Detection created Sep 21, 2010
Signature database version 5468
Aliases Trojan-GameThief.Win32.Taworm.ggq (Kaspersky)
  Worm:Win32/Taterf.D (Microsoft)
  Klone.AP (AVG)
Short description

Win32/PSW.Gamania.NFA is a trojan that steals passwords and other sensitive information. The trojan disables various security related applications.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­%random%.exe

A string with variable content is used instead of %random% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­userinit.exe,%random%.exe"

The trojan creates and runs a new thread with its own program code within the following processes:

  • _beanfuncore.exe
  • 10.exe
  • 11.exe
  • aclient.exe
  • aion.bin
  • arad.exe
  • dnf.exe
  • elementclient.exe
  • explorer.exe
  • ff2client.exe
  • gersang.exe
  • Iexplore.exe
  • InphaseNXD.exe
  • l2.bin
  • lin.bin
  • maplestory.exe
  • msnmsgr.exe
  • online.dat
  • pcotp.exe
  • pol.exe
  • ragexe.exe
  • ragfree.exe
  • ragurdrexe.exe
  • Red Stone.exe
  • twelvesky2.exe
  • wow.exe
  • yahoomessenger.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • login name
  • login password

The trojan collects information related to the following applications:

  • _beanfuncore.exe
  • 10.exe
  • 11.exe
  • aclient.exe
  • aion.bin
  • arad.exe
  • dnf.exe
  • elementclient.exe
  • ff2client.exe
  • gersang.exe
  • InphaseNXD.exe
  • l2.bin
  • lin.bin
  • maplestory.exe
  • msnmsgr.exe
  • online.dat
  • pcotp.exe
  • pol.exe
  • ragexe.exe
  • ragfree.exe
  • ragurdrexe.exe
  • Red Stone.exe
  • twelvesky2.exe
  • wow.exe
  • yahoomessenger.exe

The trojan collects various information when Internet Explorer is being used to access the following sites:

  • http://df.nexon.com
  • http://www.nexon.com
  • http://clubaudition.ndolfin.com
  • http://12sky2.paran.com
  • http://www.gersang.co.kr
  • http://www.hangame.com
  • http://id.hangame.com
  • http://yulgang.mgame.com
  • http://maplestory.nexon.com
  • http://www.netmarble.net
  • http://r2.hangame.com
  • http://dragonnest.nexon.com
  • http://login.nexon.com/login
  • http://aion.plaync.co.kr
  • https://login.plaync.co.kr
  • https://login.yahoo.com
  • http://tw.yahoo.com
  • https://tw.gash.gamania.com/gashlogin.aspx
  • https://tw.gash.gamania.com/updatemainaccountpassword.aspx
  • https://tw.beanfun.gamania.com
  • https://tw.gash.gamania.com/updateserviceaccountpassword.aspx?servicecode=610074
  • https://tw.gash.gamania.com/updateserviceaccountpassword.aspx?servicecode=610035
  • http://login.live.com
  • http://tw.beanfun.gamania.com
  • https://tw.beanfun.gamania.com/unlock_login
  • http://tw.beanfun.com
  • http://www.pmang.com
  • http://fifaonline.pmang.com
  • http://tw.lineage.gamania.com
  • http://tw.maplestory.gamania.com
  • https://tw.login.beanfun.com
  • http://pubid.hangame.com
  • http://www.facebook.com
  • http://bbs.yoyo-do.com
  • http://bbs.wgun.net
  • http://www.nate.com
  • http://lineage.plaync.co.kr
  • http://raycity.pmang.com
  • http://web.munjanara.co.kr

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (11) URLs. The HTTP protocol is used.

Other information

The trojan interferes with the operation of some security applications to avoid detection.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­ESET\­ESET Security\­CurrentVersion\­Plugins\­01000200\­Profiles\­@My profile\­UrlSets\­Node_00000000]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "TabProcGrowth" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­URL]
    • "SystemMgr"
  • [HKEY_CURRENT_USER\­Software\­Yahoo\­pager]
    • "ETS"

The trojan may create the following files:

  • %system%\­m.exe
  • %system%\­t.exe
  • %system%\­h.exe
  • %system%\­r.exe
  • %system%\­QQQ.exe

The trojan attempts to delete the following file:

  • C:\­10533408\­Skt.txt

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • update itself to a newer version
  • remove itself from the infected computer
  • send gathered information

The trojan modifies the program code of the following Windows APIs:

  • send (ws2_32.dll)
  • connect (ws2_32.dll)
  • closesocket  (ws2_32.dll)
  • DispatchMessageW (user32.dll)
  • DispatchMessageA (user32.dll)
  • FindFirstFileW (kernel32.dll)
  • EnterCriticalSection (kernel32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.