Home / malwarePDF  

Worm:Win32/Taterf.AA


First posted on 30 June 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Taterf.AA is also known as Also Known As:Worm.Win32.AutoRun.dni (Kaspersky), W32/AutoRun.DIW (Norman), Trojan horse PSW.OnlineGames.AO (AVG), Win32/Frethog.ATT (CA), PWS-Gamania.gen.a (McAfee).

Explanation :

Worm:Win32/Taterf.AA is a worm that spreads via mapped drives in order to steal login and account details for popular online games.

Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.

Worm:Win32/Taterf.AA is a worm that spreads via mapped drives in order to steal login and account details for popular online games.Installation When executed, Taterf copies itself to the system directory as a hidden file using a file name with the following format:

  • amvo<number>.exe
    • The worm also drops a driver, wincab.sys, into the system directory. This driver is used to provide the worm with protection against particular security products. This driver is detected as VirTool:WinNT/Vanti.gen!A. Additionally, files are created in the %temp% directory using randomly generated file names - these are detected as variants of Win32/Vanti. The registry is modified to run the worm's copy at each Windows start (for example):
    Adds value: "amva"
    With data: "<system folder>amvo<number>.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
    The functionality to perform Taterf's password-stealing payload is contained in a dll component.
    The dll is injected into explorer.exe or iexplore.exe and detected as Worm:Win32/Taterf.A!dllSpreads via…Mapped drives
    The worm continually enumerates drives from C- Z, copying itself to the root of the drive as 'n1deiect.com', and creating an 'autorun.inf' file. The autorun.inf is used to execute the worm whenever the drive is viewed with Windows Explorer. This file is detected as Worm:Win32/Taterf!inf.

    Payload
    Steals online game data
    Once injected, the DLL is used to obtain account information for the following Massively Multiplayer Online Games and affiliated products:
  • Lands of Aden
  • Depardieu
  • Ken Rauhel
    • The captured details are sent to a remote server on the gamesrb.com domain

    Modifies system settings
    The following registry entries are modified in order to hinder detection and removal, and facilitate spreading:
    HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun
    HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedShowSuperHidden
    HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden
    HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALLCheckedValue
    Downloads arbitrary files
    The worm contacts the om7890.com domain in order to download files and update itself.

    Modifies system security settings
    The worm attempts to circumvent security products by:
  • Attempting to prevent AVP Antivirus from displaying notifications regarding system changes by closing windows used by this product.
  • Attempting to terminate Ravmon.exe if it is found to be running on the affected system.


    • Analysis by Matt McCormack

    Last update 30 June 2009

     

    TOP

    Malware :

    Family: