Win32/PSW.Gamania [Threat Name] go to Threat

Win32/PSW.Gamania.NFI [Threat Variant Name]

Category trojan
Size 55296 B
Detection created Nov 24, 2010
Detection database version 5646
Aliases Trojan-GameThief.Win32.Magania.emvl (Kaspersky)
  PWS:Win32/Magania.gen (Microsoft)
  PWS-Mmorpg!rstrojan (McAfee)
  Infostealer.Gampass (Symantec)
Short description

Win32/PSW.Gamania.NFI is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­%variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%originalvalue%, %variable%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­InternetExplorer\­Main]
    • "TabProcGrowth" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­URL]
    • "SystemMgr" = "Del"

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Other information

The trojan contains a list of (4) URLs.


It tries to download several files from the addresses.


The files are then executed. The HTTP protocol is used.


The trojan attempts to delete the following file:

  • C:\­10533408\­Skt.txt

Please enable Javascript to ensure correct displaying of this content and refresh this page.