Home / malwarePDF  

Worm:Win32/Taterf.B


First posted on 13 February 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Taterf.B is also known as Also Known As:Win32/Frethog.CUM (CA), W32/Lineage.KHE (Panda), Mal/Frethog-B (Sophos), Trojan-GameThief.Win32.Magania.ammv (Kaspersky), Generic PWS.ak (McAfee), Infostealer.Gampass (Symantec).

Explanation :

Worm:Win32/Taterf.B is a worm that spreads via logical drives to steal login and account details for popular online games.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>kamsoft.exe
    <system folder>gasretyw<number>.dll
  • The presence of the following registry modifications:
    Added value: "kamsoft"
    With data: "<system folder>kamsoft.exe"
    To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun


    • Worm:Win32/Taterf.B is a worm that spreads via logical drives to steal login and account details for popular online games.

    Installation
    Worm:Win32/Taterf.B is composed of a loader component and a payload component. It drops the following files in the system with the attributed "hidden", "system", and "read-only":
  • <system folder>kamsoft.exe - copy of itself, loader component
  • <system folder>gasretyw<number>.dll - payload component; detected as Worm:Win32/Taterf.B.dll
    • where <number> is a number between 0 to 9. Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Both of these files are detected as Worm:Win32/Taterf.B. It modifies the system registry so that its dropped copy runs every time Windows starts: Adds value: "kamsoft"
    With data: "<system folder>kamsoft.exe"
    To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun It then injects its payload component into the currently-running "explorer.exe" process.Spreads Via...Logical DrivesWin32/Taterf.B attempts to drop the following files in the root of all drives from C: to Z::
  • m9ma.exe - copy of itself
  • autorun.inf - INF file that enables the worm copy to run automatically when the drive is accessed and Autorun is enabled
    • To ensure that Autorun is enabled, it may modify the following registry entry: Adds value: "NoDriveTypeAutoRun"
    With data: "00000091"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

    Payload
    Disables Antivirus ServicesWorm:Win32/Taterf.B attempts to stop the real-time protection service of antivirus products from the following vendors:
  • Kaspersky
  • Rising
    • Modifies System SettingsTo avoid detection, Win32/Taterf.B changes the way that the system handles hidden files and folders by adding the following registry entries:s: Adds value: "CheckedValue"
    With data: "0"
    To key: HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL Adds value: "Hidden"
    With data: "2"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Adds value: "ShowSuperHidden"
    With data: "0"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Steals User DetailsWin32/Taterf.B steals online game accounts and passwords by monitoring the system, especially the following game processes:
  • pol.exe
  • ageofconan.exe
  • coc.exe
  • knightonline.exe
  • lotroclient.exe
  • turbinelauncher.exe


    • Analysis by Shawn Wang

    Last update 13 February 2009

     

    TOP

    Malware :

    Family: