Worm:Win32/Taterf.DL is a worm that spreads via mapped drives to steal login and account details for popular online games. It may also modify certain computer settings.
Installation
Worm:Win32/Taterf.DL may be dropped to the system as a component of other malware. It is installed as an EXE and DLL file in Windows system folder using different file names, for example:
- <system folder>\cyban.exe
- <system folder>\cyban<number>.dll
Where <number> may be omitted entirely, or be a numeral from 0-9.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware creates an autostart registry entry for its executable component, for example:
Adds value: "cybansos"
With data: "<system folder>\cyban.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The malware injects its code into "iexplore.exe".
Spreads via...
Mapped removable and network drives
The worm continually enumerates drives from C- Z, copying itself to the root of the drive, and creating an 'autorun.inf' file, which points to one of the copies that it creates. When the removable or networked drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. This 'autorun.inf' file is detected as Worm:Win32/Taterf!inf.
The name that the worm uses to copy itself to in the root of the drive differs across variants, however, it usually consists of random letters and numbers with a '.com', 'cmd' or an '.exe' extension.
For example:
q.com
d.com
d6fagcs8.cmd
gjn2pjlw.exe
h1dwg20.exe
h6o0re.cmd
Payload
Modifies computer settings
Worm:Win32/Taterf.DL modifies the following registry entries, which specify how hidden folders and files are displayed using Windows Explorer:
Adds value: "ShowSuperHidden"
With data: "0"
Adds value: "Hidden"
With data: "2"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
If Autorun is disabled, Worm:Win32/Taterf.DL also tries to enable it by modifying the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Drops other malware
Worm:Win32/Taterf.DL may drop a driver with a randomly generated file name in the Windows Temp folder. This driver is detected as a variant of VirTool:WinNT/Vanti.
Steals online game data
Once injected, the DLL is used to obtain account information for one or more of the following Massively Multiplayer Online Games and affiliated products:
Rainbow Island
Cabal Online
A Chinese Odyssey
Hao Fang Battle Net
Lineage
Gamania
MapleStory
qqgame
Legend of Mir
World Of Warcraft
As part of this process, Worm:Win32/Taterf.DL may monitor the following processes related to online games:
amo.exe
cabalmain.exe
cc.exe
client.exe
dakerden.exe
dakeron.exe
dnf.exe
ffclient.exe
ge.exe
gersang.exe
goonzu.exe
hevaonline.exe
inphasenxd.exe
knightonline.exe
main.exe
maplestory.exe
mir3game.exe
mixer.exe
nida.exe
so3d.exe
winbaram.exe
wow.exe
The captured details are sent to a remote server.
Downloads arbitrary files
The worm contacts the a specific domain in order to download files and update itself. In the wild, we have observed the malware contacting the following Web sites to download arbitrary files:
om7890.com
googlew65.com
yahooui0.com
The downloaded file is then saved in Temporary Internet Files folder.
Analysis by Elda Dimakiling
