My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Packer.Malware.NSAnti.1

HIGH
MEDIUM
200 kB - 600 kB
(PWS:Win32/Frethog (OneCare) Trojan.Packed.NsAnti (Symantec) PWS-Gamania.gen.a (McAfee) Trojan.Nsanti.Packed (DrWeb))

Symptoms

Unusual network activity.
IExplore.exe processes with hidden windows.
Presence of files with similar names as the one described.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dan Anton, virus researcher

Technical Description:

Packer.Malware.NSAnti.1 is the name for a generic detection of malicious packed PWS-Onlinegames trojans which attempt to steal password and user information for specific online games. These are usually downloaded by other malware or even by users when visiting malicious websites. These trojans also have the ability to download updated versions of themselves or other malware.

When launched for the first time, this malware copies itself in "%system32%\[name].exe" and also drops a file as "%system32%\[name][digit].dll"

[name] is usually a 4-letter string, usually: "amvo", "kavo", "kxvo", "mmvo", "tavo".

If "[name].exe" was "amvo.exe", "[name][digit].dll" would be "amvo0.dll" or "amvo1.dll"

 

The malware has worm functionality and copies itself in the root of removable devices and adds an "autorun.inf" file in order to be launched every time the device is accesed. Also, it adds a value in the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run in order to be launched every time the system is started.

Examples of games targeted by this malware are: Silkroad Online, KnightOnline, Lineage or Cabal Online.