Follow:

 

Worm:Win32/Taterf.B


Worm:Win32/Taterf.B is a worm that spreads via logical drives to steal login and account details for popular online games.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
 
This threat may make lasting changes to an affected system’s configuration that will NOT be restored by detecting and removing this threat. For more information on returning an affected system to its pre-infected state, please see the following article/s: 

Threat behavior

Worm:Win32/Taterf.B is a worm that spreads via logical drives to steal login and account details for popular online games.
Installation
Worm:Win32/Taterf.B is composed of a loader component and a payload component. It drops the following files in the system with the attributed "hidden", "system", and "read-only":
  • <system folder>\kamsoft.exe - copy of itself, loader component
  • <system folder>\gasretyw<number>.dll - payload component; detected as Worm:Win32/Taterf.B.dll
 
where <number> is a number between 0 to 9.
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
 
Both of these files are detected as Worm:Win32/Taterf.B.
 
It modifies the system registry so that its dropped copy runs every time Windows starts:
 
Adds value: "kamsoft"
With data: "<system folder>\kamsoft.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
 
It then injects its payload component into the currently-running "explorer.exe" process.
Spreads Via...
Logical Drives
Win32/Taterf.B attempts to drop the following files in the root of all drives from C: to Z::
  • m9ma.exe - copy of itself
  • autorun.inf - INF file that enables the worm copy to run automatically when the drive is accessed and Autorun is enabled
 
To ensure that Autorun is enabled, it may modify the following registry entry:
 
Adds value: "NoDriveTypeAutoRun"
With data: "00000091"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Payload
Disables antivirus services
Worm:Win32/Taterf.B attempts to stop the real-time protection service of antivirus products from the following vendors:
  • Kaspersky
  • Rising
 
Modifies system settings
To avoid detection, Win32/Taterf.B changes the way that the system handles hidden files and folders by adding the following registry entries:
 
Adds value: "CheckedValue"
With data: "0"
To key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
 
Adds value: "Hidden"
With data: "2"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
 
Adds value: "ShowSuperHidden"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
 
Steals user details
Win32/Taterf.B steals online game accounts and passwords by monitoring the system, especially the following game processes:
  • pol.exe
  • ageofconan.exe
  • coc.exe
  • knightonline.exe
  • lotroclient.exe
  • turbinelauncher.exe
 
Analysis by Shawn Wang

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    <system folder>\kamsoft.exe
    <system folder>\gasretyw<number>.dll
  • The presence of the following registry modifications:
    Added value: "kamsoft"
    With data: "<system folder>\kamsoft.exe"
    To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Prevention


Alert level: Severe
First detected by definition: 1.49.2195.0
Latest detected by definition: 1.195.84.0 and higher
First detected on: Jan 19, 2009
This entry was first published on: Feb 06, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Frethog.CUM (CA)
  • W32/Lineage.KHE (Panda)
  • Mal/Frethog-B (Sophos)
  • Trojan-GameThief.Win32.Magania.ammv (Kaspersky)
  • Generic PWS.ak (McAfee)
  • Infostealer.Gampass (Symantec)