McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

PWS-Gamania.gen.a!712​200C7

This page shows details and results of our analysis on the malware PWS-Gamania.gen.a!712200C7

Threat Detail

Malware Type: Trojan

Malware Sub-type: Password

Discovery Date: 2008-08-06

Next Steps:

Overview

This is a password stealing trojan for online games. The threat is detected as PWS-Gamania.gen trojan with DAT 5344 or newer and was detected as W32/Autorun.worm.bx.gen from DAT 5264 to DAT 5343.


Minimum DAT

5264 (2008-04-01)

Updated DAT

5344 (2008-07-22)

 Minimum Engine

5.1.00

File Length

105,128 bytes

 Description Added

2008-08-06

Description Modified

2008-08-06

Malware Proliferation

Characteristics

Upon execution, the trojan drops the following files:

  • %SystemDir%\amvo.exe 105,128 bytes  (PWS-Gamania.gen.a trojan)
  • %SystemDir%\amvo0.dll 70,656 bytes (PWS-Gamania.gen.a trojan)
  • %UserProfile%\Local Settings\Temp\7bpapp.dll 27,521 bytes (PWS-Gamania.gen.a trojan)

Note:
%SystemDir% refers to the Windows System folder, e.g. C:\Windows\System32.
%UserProfile% is a variable location and refers to the user's profile folder, e.g.  C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

The trojan modifies the following registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "amva" =  %SystemDir%\amvo.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoDriveTypeAutoRun
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
    CheckedValue
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden
    ShowSuperHidden

The trojan attempts to steal account information of the following online games:

  • MapleStory
  • PlayOnline
  • World of Warcraft
  • Lineage

Symptoms

  • Presence of the mentioned files/registry keys
  • Unexpected termination of running processes
  • Unexpected program executation from removable or network drive(s)

Method of Infection

This propagates over removable media and network drives and cause execution of malicious code via an autorun.inf file.

  • x:\autorun.inf: 572 bytes (Generic!atr trojan)
  • x:\oq.cmd  105,128 bytes  (PWS-Gamania.gen.a trojan)

(Where  X: is  drive letter(s) used by a removable or network drive)

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

United States - English