Threat behavior
PWS:Win32/Gamania.gen!A is a generic detection for a trojan component that steals online game passwords and sends the captured data to remote websites.
Installation
<system folder>\pdll.dll
Payload
Terminates various security programs
PWS:Win32/Gamania.gen!A hooks Windows API calls to identify security applications currently running. For example, the malware could identify a security application by matching its window name and executable name to a predefined list such as the following:
window name: RavMonClass
application name: RavMon.exe
The trojan attempts to terminate found security applications.
Captures online game passwords and sends captured data to remote websites
PWS:Win32/Gamania.gen!A hooks Windows API calls to capture data entered via keyboard and mouse when the affected user attempts to access particularly game websites. A timer process instructs the malware to record the data captured every ten seconds. Captured data is then sent to predefined remote websites.
Analysis by Dan Kurc
Prevention
