( Worm:Win32/Taterf.B; Trojan-GameThief.Win32.Magania.aymn )
Spreading: high
Damage: high
Size: ~100kbytes
Discovered: 2009 Apr 08


- no update possible for antivirus solutions
- presence of a hidden autorun.inf file on C: drive (which points to a hidden executable file having one of the following extensions: .bat, .com, .cmd, .exe)
- presence of the following two hidden files in %System% folder: olhrwef.exe and nmdfgds0.dll
- presence of a file named klif.sys in %Drivers% folder (even if Kaspersky antivirus isn't installed on the computer)


     This is another onlinegames password stealer. When first run the malware will perform the following actions:

- make a hidden copy of itself in %System% folder under olhrwef.exe and create the following registry key
          Name: cdoosoft
          Value: "%System%\olhrwef.exe
in order for this copy to be run at every system startup

- drop a hidden .dll file named nmdfgds0.dll or nmdfgds1.dll in %System% folder - this is the component responsible for password stealing. It will be injected in all running processes and will monitor mouse gestures and keystrokes. some of the targeted online games are: MapleStory, Age Of Conan, Rohan, The Lord OF The Rings, Knight Online, Lands Of Aden and others.

- create a hidden autorun.inf file on each drive which points to a hidden copy of the malware found in %drive_letter%\1ogf.exe used to spread itself via removable drives

- drop a driver file named klif.sys in %dirvers% folder and create the following registry key in order for this driver to be loaded as a service at every system startup
         Type: 0x1
         ErrorControl: 0x1
         Start: 0x1
         ImagePath: %drivers%\klif.sys
This driver file, along with another .dll file named ANTIVM.dll, will be used to disable the update for different antivirus software or to stop processes that may be used to monitor running programs behaviour (in order to make analysis more difficult).

- it will also add the following modifications to registry settings
         CheckedValue = 0x00000000
so that the user won't be able to see hidden files and folders in explorer while browsing the file system.

- it will download the following file http://[removed] and save it in %temp% folder (when this description was made the file wasn't available anymore)

To avoid antivirus detection both olhrwef.exe and nmdfgds0.dll were packed using NSAnti packer.

Removal instructions:

Please let BitDefender disinfect your files.


Dana Stanut, virus researcher