Follow:

 

PWS:Win32/Gamania


PWS:Win32/Gamania is family of trojans that steals online game passwords and sends them to remote sites.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

PWS:Win32/Gamania is family of trojans that steals online game passwords and sends them to remote sites.
Installation
When PWS:Win32/Gamania runs, it copies itself and drops a DLL to the System directory. The filenames used differ according to variant.
 
It then modifies the registry to execute itself at each Windows start, by adding values and data specific to the particular variant to the following subkey: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
In addition, it makes the following registry modification:
Adds value: ver_
With data: <version>
To subkey: HKLM\Software\Microsoft\Windows
 
For example, one variant, copies itself to %windir%\config\svhost32.exe, drops a DLL to <system folder>\dllf.dll, and makes the following registry modifications:
Adds value: "fzg"
With data: "%windir%\config\svhost32.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "ver_"
With data: "mz."
To subkey: HKLM\software\microsoft\windows
 
While another variant, for example, copies itself to %windir%\addins\rundll32.exe, drops a DLL to <system folder>\r2dll.dll, and makes the following registry modifications:
Adds value: "Rr2"
With data: "%windir%\addins\rundll32.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "ver_"
With data: "mz."
To subkey: HKLM\software\microsoft\windows
 
Payload
Steals Online Game Passwords
PWS:Win32/Gamania sets up keyboard and mouse message hooks in order to capture login information when the affected user attempts to access particular game websites, such as
http://www.wayi.com.tw, for example.
 
Downloads and Executes Arbitrary Files
PWS:Win32/Gamania is able to update itself. It contacts a remote site to check if a new version is available. If found, it downloads the new version and then executes it.
 
Modifies System Security Settings
The trojan attempts to close alert windows used by the following security-related applications:
• Rising Security Monitor
• ZoneAlarm
 
Terminates Processes
PWS:Win32/Gamania attempts to terminate the following processes:
• Eghost.exe
• Mailmon.exe
• KAVPFW.exe
• IPArmor.exe
 
Analysis by Chun Feng

Symptoms

Symptoms that indicate the presence of this trojan differ according to variant.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.179.1889.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Apr 07, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases