Threat behavior
Worm:Win32/Taterf.AA is a worm that spreads via mapped drives in order to steal login and account details for popular online games.
Installation
When executed, Taterf copies itself to the system directory as a hidden file using a file name with the following format:
The worm also drops a driver, wincab.sys, into the system directory. This driver is used to provide the worm with protection against particular security products. This driver is detected as VirTool:WinNT/Vanti.gen!A.
Additionally, files are created in the %temp% directory using randomly generated file names - these are detected as variants of Win32/Vanti.
The registry is modified to run the worm's copy at each Windows start (for example):
Adds value: "amva"
With data: "<system folder>\amvo<number>.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The functionality to perform Taterf's password-stealing payload is contained in a dll component.
The dll is injected into explorer.exe or iexplore.exe and detected as Worm:Win32/Taterf.A!dll
Spreads via…
Mapped drives
The worm continually enumerates drives from C- Z, copying itself to the root of the drive as 'n1deiect.com', and creating an 'autorun.inf' file. The autorun.inf is used to execute the worm whenever the drive is viewed with Windows Explorer. This file is detected as Worm:Win32/Taterf!inf.
Payload
Steals online game data
Once injected, the DLL is used to obtain account information for the following Massively Multiplayer Online Games and affiliated products:
- Lands of Aden
- Depardieu
- Ken Rauhel
The captured details are sent to a remote server on the gamesrb.com domain
Modifies system settings
The following registry entries are modified in order to hinder detection and removal, and facilitate spreading:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Downloads arbitrary files
The worm contacts the om7890.com domain in order to download files and update itself.
Modifies system security settings
The worm attempts to circumvent security products by:
- Attempting to prevent AVP Antivirus from displaying notifications regarding system changes by closing windows used by this product.
- Attempting to terminate Ravmon.exe if it is found to be running on the affected system.
Analysis by Matt McCormack
Prevention
