Full description

Virus:	TR/PSW.Magania.bgme
Date discovered:	17/06/2010
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Low to medium
Static file:	Yes
File size:	104.476 Bytes
MD5 checksum:	6F7D0987DF91CCD605DD2A5DDD8E2987
IVDF version:	7.01.04.101 - Wednesday, June 17, 2009

General Method of propagation:
   • Autorun feature

Aliases:
   • Symantec: W32.Gammima.AG
   • Kaspersky: Worm.Win32.AutoRun.gbp
   • TrendMicro: WORM_AUTORUN.DUY
   • F-Secure: Trojan.PWS.OnLineGames.KCMZ
   • Bitdefender: Trojan.PWS.OnLineGames.KCMZ
   • Microsoft: Worm:Win32/Taterf.B
   • AVG: Worm/AutoRun.GL
   • PCTools: Worm.AutoRun.gbp
   • VirusBuster: Worm.Taterf.ACC
   • Eset: Win32/PSW.OnLineGames.NNU
   • Sunbelt: Worm.Win32.AutoRun.gbp
   • GData: Trojan.PWS.OnLineGames.KCMZ
   • Authentium: W32/Onlinegames.BYF
   • DrWeb: Trojan.MulDrop.31605
   • Rising: Trojan.PSW.Win32.GameOnline.eri

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Downloads a file
   • Registry modification

Files It copies itself to the following locations:
   • %SYSDIR%\olhrwef.exe
   • %drive%\fsaht.cmd

It deletes the initially executed copy of itself.

It deletes the following files:
   • C:\fsaht.cmd
   • %TEMPDIR%\am1.rar

The following files are created:

– %drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– %SYSDIR%\nmdfgds0.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

It tries to download a file:

– The location is the following:
   • http://ngjk34.net/mg/****
It is saved on the local hard drive under: %TEMPDIR%\am1.rar

Registry The following registry key is added:

– [HKLM\SYSTEM\CurrentControlSet\Services\AVPsys]
   • "Type"=dword:00000001
   • "Start"=dword:00000003
   • "ErrorControl"=dword:00000001
   • "ImagePath"=%SYSDIR%\drivers\cdaudio.sys
   • "DisplayName"="AVPsys"

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

說明撰寫者 Irina Diaconescu 開啟 2010年11月2日星期二
說明更新者 Irina Diaconescu 開啟 2010年11月8日星期一

返回 . . . .

我的帳戶