TSPY_MAGANIA
OnlineGames, Magania, Gamania, Taterf
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
KAVO malware are known for stealing account details for online games. They do so by monitoring game-related processes and websites. The stolen information consists of user names and passwords. These spyware may connect to specific URLs to download other components.
Aside from stealing information, KAVO malware can compromise a system's security. They may disable antivirus applications by terminating antivirus-related processes if found running on the affected system.
Interestingly, KAVO malware also check if the language of the system is not Chinese. There are some speculations that the creator of KAVO malware has origins in China, which may explain the connection of checking the operating system's language. However, there are no known perpetrators for KAVO malware as of 2012.
TECHNICAL DETAILS
Installation
This spyware drops the following copies of itself into the affected system:
- %System%\{random 5 letters}.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This spyware modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, {random 5 letters}.exe"
(Note: The default value data of the said registry entry is %System%\userinit.exe.)
Other System Modifications
This spyware adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
TabProcGrowth = "0"
HKEY_LOCAL_MACHINE\ SOFTWARE\ MICROSOFT\
Windows\ CURRENTVERSION\ URL
SystemMgr = "Del"
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\
protected\AVP7\profiles\
Updater
enabled = "0"
Other Details
This spyware connects to the following possibly malicious URL:
- http://www.{BLOCKED}hhuo.net/mljs11/heihaahhuo.png
- http://{BLOCKED}r.{BLOCKED}2.com/23weer/23weer.jpg
- http://{BLOCKED}r.{BLOCKED}2.com/23weer/23weer.gif
- http://www.{BLOCKED}a.com/images/china.jpg
- http://www.{BLOCKED}a.com/images/china.gif
- http://www.{BLOCKED}a.com/images/china.bmp