Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13

Chapter 11: Data Stealing Trojans

Trojan-GameThief.Win32.OnLineGames2.an

News

 Strategies of Defending Windows against Malware Recommended Links Data Stealing Trojans Introduction to data stealing trojans Zoo
Trojan-GameThief PWS-Mmorpg Password Stealing Trojan Win32 Alureon TrojanSpy
Win32/Banker.WE		 Investigator from WinWhatWhere WORM
MORTO
Flame Duqu Trojan Spyware Spyware fighting strategy Humor Etc

In the case that I know of,  and from which I obtained samples of this malware, the PC was infected by browsing Web site (probably shareware website), not by any email attachment.

In my case I just re-imaged the infected computer using Softpanorama Malware Defense Strategy without much analyses.

There are  three files in "C:\Documents and Settings\dell\Start Menu\Programs\Startup\"

-r-xr-xr-x+ 1 nnb None  53121 Dec  9  2010 kiaqas.exe 
-r-xr-xr-x+ 1 nnb None  57217 Dec  9  2010 mssvig.exe
-r-xr-xr-x+ 1 nnb None  53121 Dec  9  2010 stdlas.exe might be related to Trojan.Spyeye

If you delete or rename them in Windows, they reappear.  They are probably all created with Zeus toolkit and some AV vendor classify files as Zbot. They might be related to Trojan-GameThief.Win32.

Typically Trojans based on Zeus toolkit are designed to steal account data and passwords.

File name are probably random. Probably exists is several modification tuned to different online game targets.

kiaqas.exe (feettox23.exe )

Here are results from virustotal.com (submission was dome on Dec 2, 2012, a month after detection). The file feettox23.exe was found in "C:\Documents and Settings\user\Local Settings\Temp\" not in "C:\Documents and Settings\dell\Start Menu\Programs\Startup\"

First seen by VirusTotal
2012-09-25 15:15:19 UTC ( 2 months, 1 week ago )
Last seen by VirusTotal
2012-12-02 16:26:17 UTC ( 1 hour, 5 minutes ago )

 

File names (max. 25)
  1. feettox23.exe
  2. feettox23___.exe
  3. R996310D2C08E3D4C6904DCC8C29A9E285A89CAFA69FE4BF6FFA97EF222A1853
  4. kiaqas.exe
  5. a5ce1e1206abe49598a41a30e5402ea2f7f6b5f9
  6. 5879def7082e493f73d0ed5c9bc
  7. file-4609606_exe

 

The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

File system activity
Opened files...
C:\93f41568a9e6b4cd78f73a16c4113892ff5e8144432d72fb4460c8a4efaf75c6 (successful)
\\.\Ip (successful)
C:\WINDOWS\system32\svchost.exe (successful)
Read files...
C:\93f41568a9e6b4cd78f73a16c4113892ff5e8144432d72fb4460c8a4efaf75c6 (successful)

Registry activity
Set keys...
KEY:   HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\MostRecentApplication\Name
TYPE:  REG_SZ
VALUE: 93f41568a9e6b4cd78f73a16c4113892ff5e8144432d72fb4460c8a4efaf75c6 (successful)

KEY:   HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\MostRecentApplication\ID
TYPE:  REG_DWORD
VALUE: 193 (successful)

Process activity
Created processes...
svchost.exe (successful)

Mutex activity
Created mutexes...
DDrawWindowListMutex (successful)
DDrawDriverObjectListMutex (successful)
__DDrawExclMode__ (successful)
__DDrawCheckExclMode__ (successful)
Opened mutexes...
ShimCacheMutex (successful)

Runtime DLLs

kernel32.dll (successful)
msvcp60.dll (successful)
msi.dll (successful)
opengl32.dll (successful)
advapi32.dll (successful)
dsauth.dll (successful)
devenum.dll (successful)
version.dll (successful)

Additional details

  • The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
Antivirus Result Update
Agnitum Suspicious!SA 20121017
AntiVir TR/Crypt.XPACK.Gen 20121017
Antiy-AVL - 20121017
Avast Win32:Rootkit-gen [Rtk] 20121017
AVG Win32/Heri 20121017
BitDefender Gen:Trojan.Heur.FU.du0@aCSAFPgG 20121017
CAT-QuickHeal - 20121017
ClamAV - 20121017
Commtouch - 20121017
Comodo UnclassifiedMalware 20121017
DrWeb Trojan.Siggen4.22094 20121017
eSafe - 20121017
ESET-NOD32 - 20121017
F-Prot - 20121017
F-Secure Gen:Trojan.Heur.FU.du0@aCSAFPgG 20121017
Fortinet W32/Suspic 20121017
GData Gen:Trojan.Heur.FU.du0@aCSAFPgG 20121017
Ikarus Virus.Win32.Heri 20121017
Jiangmin - 20121017
K7AntiVirus Riskware 20121017
Kaspersky Virus.Win32.Suspic.gen 20121017
Kingsoft Win32.AutoInfector.a.(kcloud) 20121008
McAfee Artemis!5879DEF7082E 20121017
McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.J 20121017
Microsoft - 20121017
MicroWorld-eScan Gen:Trojan.Heur.FU.du0@aCSAFPgG 20121017
Norman W32/Troj_Generic.EIGJH 20121017
nProtect - 20121017
Panda Trj/CI.A 20121017
Rising - 20121017
Sophos - 20121017
SUPERAntiSpyware - 20121017
Symantec Trojan.Gen 20121017
TheHacker - 20121016
TotalDefense - 20121017
TrendMicro TROJ_SPNR.06JB12 20121017
TrendMicro-HouseCall TROJ_SPNR.06JB12 20121017
VBA32 Malware-Cryptor.General.3 20121016
VIPRE Trojan.Win32.Generic!BT 20121017
ViRobot - 20121017

mssvig.exe

This is like another Trojan created with Zeus toolkit. AhnLab-V3 classify it as Spyware/Win32.Zbot and McAfee as PWS-Zbot.gen.apu. Dr Web as Trojan.Siggen4.22099

File system activity
Opened files...
C:\afa2a2ad070ac62049303d2b1579c611fe4eed28ec5f769b7dea2c767126eaf1 (successful)
C:\WINDOWS\system32\svchost.exe (successful)
Read files...
C:\afa2a2ad070ac62049303d2b1579c611fe4eed28ec5f769b7dea2c767126eaf1 (successful)

Registry activity
Set keys...
KEY:   HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\MostRecentApplication\Name
TYPE:  REG_SZ
VALUE: afa2a2ad070ac62049303d2b1579c611fe4eed28ec5f769b7dea2c767126eaf1 (successful)

KEY:   HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\MostRecentApplication\ID
TYPE:  REG_DWORD
VALUE: 12 (successful)

Process activity
Created processes...
svchost.exe (successful)

Mutex activity
Created mutexes...
DDrawWindowListMutex (successful)
DDrawDriverObjectListMutex (successful)
__DDrawExclMode__ (successful)
__DDrawCheckExclMode__ (successful)
Opened mutexes...
ShimCacheMutex (successful)

Runtime DLLs

kernel32.dll (successful)
msvcp60.dll (successful)
advapi32.dll (successful)
wmi.dll (successful)
comctl32.dll (successful)
opengl32.dll (successful)
riched20.dll (successful)
shdocvw.dll (successful)
version.dll (successful)

Additional details

  • The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.

Antivirus Result Update
Agnitum Trojan.Small!qCML4Y8XpjU 20121003
AhnLab-V3 Spyware/Win32.Zbot 20121003
AntiVir TR/Crypt.XPACK.Gen 20121003
Antiy-AVL - 20121002
Avast Win32:Trojan-gen 20121003
AVG Win32/Heri 20121003
BitDefender Gen:Trojan.Heur.FU.du0@aSDzUekS 20121003
ByteHero - 20120918
CAT-QuickHeal - 20121002
ClamAV - 20121003
Commtouch - 20121003
Comodo UnclassifiedMalware 20121003
DrWeb Trojan.Siggen4.22099 20121003
Emsisoft - 20120919
eSafe - 20121002
ESET-NOD32 probably a variant of Win32/Small.DEWABQM 20121003
F-Prot - 20120926
F-Secure Gen:Trojan.Heur.FU.du0@aSDzUekS 20121003
Fortinet W32/Suspic 20121003
GData Gen:Trojan.Heur.FU.du0@aSDzUekS 20121003
Ikarus Virus.Win32.Heri 20121003
Jiangmin - 20121002
K7AntiVirus - 20121002
Kaspersky Virus.Win32.Suspic.gen 20121003
Kingsoft - 20120925
McAfee Artemis!02974386ECD6 20121003
McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.J 20121003
Microsoft - 20121003
Norman W32/Troj_Generic.EIJHF 20121003
nProtect - 20121003
Panda Trj/CI.A 20121002
PCTools - 20121003
Rising - 20120928
Sophos - 20121003
SUPERAntiSpyware - 20120911
Symantec WS.Reputation.1 20121003
TheHacker - 20121001
TotalDefense - 20121003
TrendMicro - 20121003
TrendMicro-HouseCall TROJ_GEN.RCBB1IS 20121003
VBA32 Malware-Cryptor.General.3 20121003
VIPRE Trojan.Win32.Generic!BT 20121002
ViRobot - 20121003

stdlas.exe

Looks like another Zeus-based package. Might be related to Trojan.Spyeye Symantec
The Trojan then injects code into any currently running system processes so that it can then perform the following functions:

It also provides certain rootkit capabilities, for example it can:

The Trojan then steals information from the following Internet browsers:


File system activity
Opened files...
C:\d6a3b8836d0992b1f1c13d368c30d4c5f8d1f7459e36f4fd67d6def1b160bfb7 (successful)
CONIN$ (failed)
CONOUT$ (failed)
C:\WINDOWS\system32\svchost.exe (successful)
Read files...
C:\d6a3b8836d0992b1f1c13d368c30d4c5f8d1f7459e36f4fd67d6def1b160bfb7 (successful)

Registry activity
Set keys...
KEY:   HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\MostRecentApplication\Name
TYPE:  REG_SZ
VALUE: d6a3b8836d0992b1f1c13d368c30d4c5f8d1f7459e36f4fd67d6def1b160bfb7 (successful)

KEY:   HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\MostRecentApplication\ID
TYPE:  REG_DWORD
VALUE: 141 (successful)

Process activity
Created processes...
svchost.exe (successful)

Mutex activity
Created mutexes...
DDrawWindowListMutex (successful)
DDrawDriverObjectListMutex (successful)
__DDrawExclMode__ (successful)
__DDrawCheckExclMode__ (successful)
Opened mutexes...
ShimCacheMutex (successful)

Runtime DLLs

kernel32.dll (successful)
ntdll.dll (successful)
opengl32.dll (successful)
wldap32.dll (successful)
setupapi.dll (successful)
kernel32 (successful)
msvcrt20.dll (successful)
untfs.dll (successful)
version.dll (successful)
advapi32.dll (successful)

Additional details

  • The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
Antivirus Result Update
Agnitum Suspicious!SA 20121107
AhnLab-V3 Spyware/Win32.Zbot 20121108
AntiVir TR/Crypt.XPACK.Gen 20121108
Antiy-AVL - 20121108
Avast Win32:Virtu-C 20121108
AVG Win32/Heri 20121108
BitDefender Gen:Trojan.Heur.TP.du0@b8ZwR6fG 20121108
ByteHero - 20121107
CAT-QuickHeal - 20121108
Commtouch - 20121108
Comodo UnclassifiedMalware 20121108
DrWeb Trojan.Siggen4.22099 20121108
Emsisoft Virus.Win32.Suspic.AMN (A) 20121108
eSafe - 20121107
ESET-NOD32 a variant of Win32/Kryptik.ANIX 20121108
F-Prot - 20121108
F-Secure Gen:Trojan.Heur.TP.du0@b8ZwR6fG 20121108
Fortinet W32/Suspic 20121108
GData Gen:Trojan.Heur.TP.du0@b8ZwR6fG 20121108
Ikarus Virus.Win32.Heri 20121108
K7AntiVirus Riskware 20121108
Kaspersky Virus.Win32.Suspic.gen 20121108
Kingsoft Win32.AutoInfector.a.(kcloud) 20121105
McAfee Generic.dx!bfzg 20121108
McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.J 20121108
Microsoft - 20121108
MicroWorld-eScan Gen:Trojan.Heur.TP.du0@b8ZwR6fG 20121108
Norman W32/Troj_Generic.EJKWZ 20121108
nProtect - 20121108
Panda Trj/OCJ.A 20121108
PCTools - 20121108
Rising - 20121108
Sophos - 20121108
SUPERAntiSpyware - 20121108
Symantec Suspicious.MH690.A 20121108
TheHacker - 20121107
TotalDefense - 20121106
TrendMicro TROJ_SPNR.06JB12 20121108
TrendMicro-HouseCall TROJ_SPNR.06JB12 20121108
VBA32 Malware-Cryptor.General.3 20121107
VIPRE Trojan.Win32.Generic!BT 20121108
ViRobot - 20121108

ExifTool
CodeSize.................: 14336
FileDescription..........: TeamViewer Remote Control Application
InitializedDataSize......: 7680
ImageVersion.............: 0.0
ProductName..............: TeamViewer
FileVersionNumber........: 6.0.9895.0
LanguageCode.............: English (British)
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 9.0
OriginalFilename.........: TeamViewer.exe
PrivateBuild.............: TeamViewer Remote Control Application
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 6.0.9895.0
TimeStamp................: 2008:04:04 12:23:21+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: TeamViewer
SubsystemVersion.........: 4.0
ProductVersion...........: 6.0
UninitializedDataSize....: 0
OSVersion................: 1.0
FileOS...................: Windows NT 32-bit
LegalCopyright...........: TeamViewer GmbH
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: TeamViewer GmbH
LegalTrademarks..........: TeamViewer
FileSubtype..............: 0
ProductVersionNumber.....: 6.0.0.0
EntryPoint...............: 0x8200
ObjectFileType...........: Executable application
Portable Executable structural information
Compilation timedatestamp.....: 2008-04-04 11:23:21
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00008200

PE Sections...................:

Name        Virtual Address  Virtual Size  Raw Size  Entropy  MD5
.text                  4096         14211     14336     6.18  cabdcb360baae79a95d759904fc7ef14
.idat_93              20480          3502      3584     5.71  96118c66d1bda0bd408cf520fe2b5881
.data                 24576          2540      2560     4.59  9cd9a37c1c9900ec91a41acb55fc1463
.rsrc                 28672          1330      1536     3.23  0f5b0c958b3c150f2ecd9f3d39ed55b2
hh                    32768          8192      3789     6.11  fd5d7c7aa19a0d7d2b9671dd88043e01

PE Imports....................:

[[KERNEL32.dll]]
Sleep, ExitProcess, GetLocalTime, FindFirstFileA

PE Resources..................:

Resource type            Number of resources
RT_STRING                1
RT_VERSION               1

Resource language        Number of resources
NEUTRAL                  1
ENGLISH CAN              1
Symantec Reputation
Suspicious.Insight
First seen by VirusTotal
2012-10-22 08:00:00 UTC ( 1 month, 1 week ago )
Last seen by VirusTotal
2012-11-20 07:48:46 UTC ( 1 week, 5 days ago )
File names (max. 25)
  1. file-4736157_exe
  2. 9d9bc8ba90dd72408b0a2a1e7e1
  3. geraam.exe
  4. geraam.exe
  5. geraam.exe_

The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

File system activity
Opened files...
C:\28eab6d204516b64a84512c640b1930c41beaf5fee6e3af474c5aac74730b60e (successful)
CONIN$ (failed)
CONOUT$ (failed)
C:\WINDOWS\system32\svchost.exe (successful)
Read files...
C:\28eab6d204516b64a84512c640b1930c41beaf5fee6e3af474c5aac74730b60e (successful)

Registry activity
Set keys...
KEY:   HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\MostRecentApplication\Name
TYPE:  REG_SZ
VALUE: 28eab6d204516b64a84512c640b1930c41beaf5fee6e3af474c5aac74730b60e (successful)

KEY:   HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\MostRecentApplication\ID
TYPE:  REG_DWORD
VALUE: 169 (successful)

Process activity
Created processes...
svchost.exe (successful)

Mutex activity
Created mutexes...
DDrawWindowListMutex (successful)
DDrawDriverObjectListMutex (successful)
__DDrawExclMode__ (successful)
__DDrawCheckExclMode__ (successful)
Opened mutexes...
ShimCacheMutex (successful)

Runtime DLLs

kernel32.dll (successful)
c:\windows\system32\comdlg32.dll (successful)
c:\windows\system32\nddeapi.dll (successful)
c:\windows\system32\shell32.dll (successful)
c:\windows\system32\kernel32.dll (successful)
c:\windows\system32\gdi32.dll (successful)
c:\windows\system32\advapi32.dll (successful)
c:\windows\system32\user32.dll (successful)
c:\windows\system32\winspool.drv (successful)
c:\windows\system32\comctl32.dll (successful)
c:\windows\system32\version.dll (successful)
sqlsrv32.dll (successful)
opengl32.dll (successful)
kernel32 (successful)
msvcrt20.dll (successful)
msls31.dll (successful)
nddeapi.dll (successful)
version.dll (successful)
advapi32.dll (successful)

Additional details

  • The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.

SHA256: 28eab6d204516b64a84512c640b1930c41beaf5fee6e3af474c5aac74730b60e
SHA1: 07b3d3272cc3a00ae3606a611b965de47891af21
MD5: 9d9bc8ba90dd72408b0a2a1e7e10033f
File size: 27.7 KB ( 28365 bytes )
File name: geraam.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 24 / 43
Analysis date: 2012-11-20 07:48:46 UTC ( 1 week, 5 days ago )

0

1

More details
Antivirus Result Update
Agnitum Suspicious!SA 20121118
AhnLab-V3 Spyware/Win32.Zbot 20121118
AntiVir TR/Crypt.XPACK.Gen 20121119
Antiy-AVL - 20121118
Avast Win32:Trojan-gen 20121119
AVG Win32/Heri 20121119
BitDefender Gen:Trojan.Heur.FU.bu0@a8Yq3Bci 20121119
ByteHero - 20121116
CAT-QuickHeal - 20121119
ClamAV - 20121119
Commtouch - 20121119
Comodo UnclassifiedMalware 20121119
DrWeb Trojan.Packed.23434 20121119
Emsisoft Virus.Win32.Suspic.AMN (A) 20121119
eSafe - 20121115
ESET-NOD32 Win32/Small.NGR 20121119
F-Prot - 20121119
F-Secure Gen:Trojan.Heur.FU.bu0@a8Yq3Bci 20121119
Fortinet W32/Kryptik.ANIX!tr 20121119
GData Gen:Trojan.Heur.FU.bu0@a8Yq3Bci 20121119
Ikarus Virus.Win32.Heri 20121119
Jiangmin - 20121119
K7AntiVirus Riskware 20121116
Kaspersky Virus.Win32.Suspic.gen 20121119
Kingsoft - 20121112
McAfee - 20121119
McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.J 20121119
Microsoft - 20121119
MicroWorld-eScan Gen:Trojan.Heur.FU.bu0@a8Yq3Bci 20121119
Norman W32/Troj_Generic.EXZAE 20121119
nProtect - 20121119
Panda Trj/OCJ.A 20121119
Rising - 20121119
Sophos - 20121119
SUPERAntiSpyware - 20121119
Symantec WS.Reputation.1 20121119
TheHacker - 20121118
TotalDefense - 20121118
TrendMicro TROJ_SPNR.06K712 20121119
TrendMicro-HouseCall TROJ_SPNR.06K712 20121119
VBA32 - 20121119
VIPRE Trojan.Win32.Generic!BT 20121119
ViRobot - 20121119

Top Visited
 Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

PWS-Zbot Virus Profile & Definition McAfee Inc.

Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 12/19/2007
Date Added: 12/19/2007
Origin: N/A
Length: varies
Type: Trojan
Subtype: Password Stealer
DAT Required: 5189
Removal Instructions

Description

PWS-Zbot is a Trojan that steals online banking credentials and eventually sends them to a remote server.

Indication of Infection

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

http://www.nictasoft.com/viruslib/malware/Trojan-GameThief.Win32.OnLineGames2.an

Detection added: 07.09.2012 0:48:10
MD5: 3E763653E725884BD5A652FFC6C4E334
SHA1: ECE76B0F394B73C5911E373395E361DBBA5C3381


Behavior: Trojan Program (Trojan GameThief)
Trojan GameThief is designed to steal user accounts (and user data) for popular online games (like WOW, LineageII, e.t.c.).

Platform: This malware is a Windows PE EXE file.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP, Windows Vista, Windows 7 (x86)

http://www.knowledgesutra.com/discuss/tloiff-trojangamethiefwin32maganiathe-worst-trojan.html

This one looks different ass I did not see any dll in C:\Documents and Settings\Administrator\Local Settings\Temp\

trojan-gamethief.win32.magania the worst trojan i've ever see in my life. it attacked my computer and start blocking the hard disk, which that is mean i couldn't enter my hard disk drives, it also attacks the registry, my system stops, windows open and close by itself, when i make a scan in kaspersky internet security it affect the kaspersky internet security either but at that time i could find the virus locaton which it was in this path

C:\Documents and Settings\Administrator\Local Settings\Temp\cvasds0.dll


or

C:\Documents and Settings\Administrator\Local Settings\Temp\cvasds1.dll


or

C:\Documents and Settings\Administrator\Local Settings\Temp\herss.exe


i thought as long as i found the virus location then i can remove it manually, but the funny thing that i couldn't enter local setting at all, not by show the hidden folders or using explore, or even from the dos window command, in fact in dps i could enter and show the hidden folders but i couldn't deleted it.
so i decided to use my final option which is the format for c drive
but when i did that it return and affect my files in c drive again
at that point i really get mad , and didn't know what to do, but after a little bit of thinking i discovered that the virus is already infect the other drivers so it came back when i installed the system configuration
so the solution that i did and work for me is after i did format c drive i installed trendmicro antivirus and did scan for all my computer in this step i fixed or clean the other drivers from the virus but c drive is still infected so i reformat the c drive and installed system configurations and that's it
if you want more informations about this virus, these what i can collect

QUOTE

Name : Trojan-PSW:W32/Magania
Detection Names : trojan-gamethief.win32.magania
Category:[/size]Malware
Type: Trojan-PSW

Trojan-PSW:W32/Magania is a large family of login/password stealing trojans that are reportedly made in China. The main purpose of the trojan is to steal logons and passwords from users who play on-line games, provided by Gamania.

It should be noted that some on-line games allow users to sell their character's possessions for real cash, so the motivation behind the creation of such trojans is to steal virtual goods and to convert those goods into real-world cash.

These trojans are usually distributed in file attachments to e-mail messages spammed out to victims by hackers. The file attachment is typically a single executable program. In most cases such an attachment is a self-extracting RAR archive that contains at least one more embedded archive. In one of these archives there's always a Magania trojan.

Once the infectious attachment is run, it usually displays an image as a decoy. At the same time the trojan's payload is activated.

The trojan installs itself to the system by copying itself to one of the Windows subfolders or to the Windows System folder. It then drops a DLL file that represents the main spying component. The trojan registers the dropped DLL as a component of Internet Explorer, so it always has access to the Internet and can monitor URLs that are visited in the browser

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites

Trojan-GameThief.Win32.Magania [Ikarus] | ThreatExpert Statistics

http://www.scanforfree.com/10/trojan-gamethief-win32-onlinegames-remover.html

http://www.threatexpert.com/report.aspx?md5=ff3b49481095cd94962e9c86012b9086

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fNemqe.B

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

 You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019