Home / malware

PDF

Worm:Win32/Taterf.DL

First posted on 10 May 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Taterf.DL is also known as W32/Taterf.B!Generic (Authentium (Command, Trojan-GameThief.Win32.Magania.dbzv (Kaspersky), Trojan.Magania.Gen!Pac.3 (VirusBuster), PSW.OnlineGames3.AIPS (AVG), TR/PSW.Magania.dbzv (Avira), Win32/PSW.OnLineGames.OUM (ESET), Worm.Win32.Taterf (Ikarus), W32.Gammima.AG (Symantec).

Explanation :

Worm:Win32/Taterf.DL is a worm that spreads via mapped drives to steal login and account details for popular online games. It modifies certain computer settings as well.
Top

Worm:Win32/Taterf.DL is a worm that spreads via mapped drives to steal login and account details for popular online games. It modifies certain computer settings as well. Installation Worm:Win32/Taterf.DL may arrive in the computer as a dropped component of other malware. It is installed as an EXE and DLL file in Windows system folder using different file names, for example:

<system folder>\cyban.exe

<system folder>\cyban<number>.dll

where <number> is a number between 0 to 9. Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It creates an autostart registry entry for its executable component, for example: Adds value: "cybansos" With data: "<system folder>\cyban.exe" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run It injects its code into "iexplore.exe". Spreads via... Mapped network drives Worm:Win32/Taterf.DL continually enumerates drives from C-Z, copying itself to the root of the folder, and creating an "autorun.inf" file. This file, which is detected as Worm:Win32/Taterf!inf, is used to execute Taterf whenever the drive is viewed with Windows Explorer. Payload Modifies computer settings Worm:Win32/Taterf.DL modifies the following registry entries, which specify how hidden folders and files are displayed using Windows Explorer: Adds value: "ShowSuperHidden" With data: "0" Adds value: "Hidden" With data: "2" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Adds value: "CheckedValue" With data: "0" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL If Autorun is disabled, Worm:Win32/Taterf.DL also tries to enable it by modifying the following registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun Drops other malware Worm:Win32/Taterf.DL may drop a driver with a randomly generated file name in the Windows Temp folder. This driver is detected as a variant of VirTool:WinNT/Vanti. Steals online game data Worm:Win32/Taterf.DL obtains account information by monitoring the following processes related to online games: amo.exe cabalmain.exe cc.exe client.exe dakerden.exe dakeron.exe dnf.exe ffclient.exe ge.exe gersang.exe goonzu.exe hevaonline.exe inphasenxd.exe knightonline.exe main.exe maplestory.exe mir3game.exe mixer.exe nida.exe so3d.exe winbaram.exe wow.exe Downloads arbitrary files Worm:Win32/Taterf.DL contacts remote Web sites to download arbitrary files. Examples of sites it connects to are the following:

googlew65.com

yahooui0.com

The downloaded file is then saved in Temporary Internet Files folder.

Analysis by Elda Dimakiling

Last update 10 May 2010

 

TOP