Trojan.PWS.OnlineGames.KBVT( Worm:Win32/Taterf.B; Trojan-GameThief.Win32.Magania.aymn )
SYMPTOMS:- no update possible for antivirus solutions
- presence of a hidden autorun.inf file on C: drive (which points to a hidden executable file having one of the following extensions: .bat, .com, .cmd, .exe)
- presence of the following two hidden files in %System% folder: olhrwef.exe and nmdfgds0.dll
- presence of a file named klif.sys in %Drivers% folder (even if Kaspersky antivirus isn't installed on the computer)
TECHNICAL DESCRIPTION:This is another onlinegames password stealer. When first run the malware will perform the following actions:
- make a hidden copy of itself in %System% folder under olhrwef.exe and create the following registry key
in order for this copy to be run at every system startup
- drop a hidden .dll file named nmdfgds0.dll or nmdfgds1.dll in %System% folder - this is the component responsible for password stealing. It will be injected in all running processes and will monitor mouse gestures and keystrokes. some of the targeted online games are: MapleStory, Age Of Conan, Rohan, The Lord OF The Rings, Knight Online, Lands Of Aden and others.
- create a hidden autorun.inf file on each drive which points to a hidden copy of the malware found in %drive_letter%\1ogf.exe used to spread itself via removable drives
- drop a driver file named klif.sys in %dirvers% folder and create the following registry key in order for this driver to be loaded as a service at every system startup
This driver file, along with another .dll file named ANTIVM.dll, will be used to disable the update for different antivirus software or to stop processes that may be used to monitor running programs behaviour (in order to make analysis more difficult).
- it will also add the following modifications to registry settings
CheckedValue = 0x00000000
so that the user won't be able to see hidden files and folders in explorer while browsing the file system.
- it will download the following file http://[removed]uw2..com/xmfx/help1.rar and save it in %temp% folder (when this description was made the file wasn't available anymore)
To avoid antivirus detection both olhrwef.exe and nmdfgds0.dll were packed using NSAnti packer.
Removal instructions:Please let BitDefender disinfect your files.
ANALYZED BY:Dana Stanut, virus researcher