PWS:Win32/Gamania is family of trojans that steals online game passwords and sends them to remote sites.
Installation
When PWS:Win32/Gamania runs, it copies itself and drops a DLL to the System directory. The filenames used differ according to variant.
It then modifies the registry to execute itself at each Windows start, by adding values and data specific to the particular variant to the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In addition, it makes the following registry modification:
Adds value: ver_
With data: <version>
To subkey: HKLM\Software\Microsoft\Windows
For example, one variant, copies itself to %windir%\config\svhost32.exe, drops a DLL to <system folder>\dllf.dll, and makes the following registry modifications:
Adds value: "fzg"
With data: "%windir%\config\svhost32.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "ver_"
With data: "mz."
To subkey: HKLM\software\microsoft\windows
While another variant, for example, copies itself to %windir%\addins\rundll32.exe, drops a DLL to <system folder>\r2dll.dll, and makes the following registry modifications:
Adds value: "Rr2"
With data: "%windir%\addins\rundll32.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "ver_"
With data: "mz."
To subkey: HKLM\software\microsoft\windows
Payload
Steals Online Game Passwords
PWS:Win32/Gamania sets up keyboard and mouse message hooks in order to capture login information when the affected user attempts to access particular game websites, such as
http://www.wayi.com.tw, for example.
Downloads and Executes Arbitrary Files
PWS:Win32/Gamania is able to update itself. It contacts a remote site to check if a new version is available. If found, it downloads the new version and then executes it.
Modifies System Security Settings
The trojan attempts to close alert windows used by the following security-related applications:
• Rising Security Monitor
• ZoneAlarm
Terminates Processes
PWS:Win32/Gamania attempts to terminate the following processes:
• Eghost.exe
• Mailmon.exe
• KAVPFW.exe
• IPArmor.exe
Analysis by Chun Feng