TR/PSW.Magania.azha - Trojan

TR/PSW.Magania.azha is a trojan designed to steal credentials and confidential information related to online games. TR/PSW.Magania.azha propagates via removable USB devices and unsecured network shared drives.

General Method of propagation:
• No own spreading routine


Aliases:
• Symantec: Trojan.Packed.NsAnti
• Kaspersky: Trojan-GameThief.Win32.Magania.azha
• F-Secure: Trojan-GameThief.Win32.Magania.azha
• Panda: W32/Lineage.KSZ
• Eset: Win32/PSW.OnLineGames.NMY
• Bitdefender: Trojan.PWS.OnlineGames.KBXH


Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003


Side effects:
• Downloads a file
• Drops a file
• Drops malicious files
• Registry modification
• Steals information

Files

It copies itself to the following locations:
• %SYSDIR%\olhrwef.exe
• C:\ej10fkdo.bat



It deletes the initially executed copy of itself.



The following files are created:

– C:\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%

– %SYSDIR%\drivers\klif.sys Further investigation pointed out that this file is malware, too. Detected as: RKit/OnlineGames.CG.1

– %SYSDIR%\nmdfgds0.dll Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Wow.ife

Registry

The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Services\KAVsys]
• Type=dword:00000001
• ErrorControl=dword:00000001
• Start=dword:00000001
• ImagePath="\??\%SYSDIR%\drivers\klif.sys"

Injection

– It injects itself into a process.

Process name:
• explorer.exe

File details

Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Download Link

To remove download Avira