Home / malwarePDF  

Worm:Win32/Taterf.gen!E


First posted on 04 April 2012.
Source: Microsoft

Aliases :

Worm:Win32/Taterf.gen!E is also known as PWS-Lineage!by (McAfee), W32.Gammima.AG!gen4 (Symantec), W32/Frethog.AL (Norman), Trojan-GameThief.Win32.Magania.cweh (Kaspersky), W32/OnLineGames.CPS (Command), Win32/PSW.OnLineGames.OTM trojan (ESET), Trojan.PWS.Magania!nGGEthmFRMk (VirusBuster), Win-Trojan/Onlinegamehack5.Gen (AhnLab), Trojan.PWS.Wsgame.12661 (Dr.Web), Worm.Win32.Taterf (Ikarus).

Explanation :

Worm:Win32/Taterf.gen!E is generic detection for Win32/Taterf - a family of worms that spread via mapped drives in order to steal login and account details for popular online games.


Top

Worm:Win32/Taterf.gen!E is generic detection for Win32/Taterf - a family of worms that spread via mapped drives in order to steal login and account details for popular online games.



Installation

When executed, it deletes its executed copy, and copies itself to the %Temp% folder as a randomly-named file with hidden attributes. For example:

herss.exe

The worm modifies the registry so that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "cdoosoft"
With data: %temp%\herss.exe

The functionality to perform Taterf's password-stealing payload is contained in a DLL component, which is also dropped into the %Temp% folder using the following file name:

cvasds0.dll

Once dropped, the DLL is injected into explorer.exe or iexplore.exe.

Spreads via...

Mapped removable and network drives

The worm continually enumerates drives from C: - Z:, copying itself to the root of the drive, and creating an 'autorun.inf' file, which points to one of the copies that it creates. When the removable or networked drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. This 'autorun.inf' file is detected as Worm:Win32/Taterf!inf.

The name that the worm uses to copy itself to in the root of the drive differs across variants, however, it usually consists of random letters and numbers with a '.com', 'cmd' or an '.exe' extension.



Payload

Steals online game data

Once injected, the DLL is used to obtain account information for one or more of the following Massively Multiplayer Online Games and affiliated products:

  • Cabal OnlineUK
  • Dungeon Fighter
  • MapleStory
  • Metin2 - Oriental Action MMORPG
  • MU Online


Modifies system settings

Worm:Win32/Taterf.gen!E makes the following registry modifications, which specify how hidden folders and files are displayed using Windows Explorer:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
  • HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue


Modifies system security settings

The worm attempts to circumvent security products by:

  • Attempting to prevent AVP Antivirus from displaying notifications regarding changes made to the computer, by closing windows used by this product
  • Attempting to terminate Ravmon.exe if it is found to be running on the affected computer




Analysis by Francis Allan Tan Seng

Last update 04 April 2012

 

TOP

Malware :

Family: