Worm:Win32/Taterf.D is the detection for malware that logs user account details for certain online games. It may spread to other computers via logical drives. It may also drop other malware and delete or rename certain files associated with security programs.
Installation
Worm:Win32/Taterf.D copies itself in the computer as the following file:
- <system folder>\koking.exe
It also drops other files as the following:
- <system folder>\koie<number>.dll - also detected as Worm:Win32/Taterf.D
- <system folder>\koking<number>.dll - detected as PWS:Win32/Frethog.F
All its files are set with the "hidden", "read-only", and "system" attributes. Worm:Win32/Taterf.D exits immediately if the current system's code page is set to "gb2312" or if the installed language is Simplified Chinese.
Spreads via...
Logical drives
Worm:Win32/Taterf.D may spread by dropping a copy of itself in all writable drives from C: to Z:. It may also drop a file in the same drive named "autorun.inf" that automatically runs its copy when the drive is accessed and Autorun is enabled.
Payload
Drops other malware
Worm:Win32/Taterf.D drops a DLL file, which may be detected as PWS:Win32/Frethog.F (see the Installation section).
It then loads its dropped files by running the following command:
<system folder>\regsvr32.exe /s <system folder>\koie<number>.dll
Deletes or renames files
Worm:Win32/Taterf.D tries to look for following processes. If found, it tries to delete or rename certain files located in subfolders of the folder where the process is found. For example, if the process is found in the folder "<process folder>", then this worm tries to delete or rename certain files found in all subfolders under "<process folder>":
- LIVESRV.EXE - delete or rename all DLL and EXE files
- VCRMON.EXE - delete or rename "update.exe"
- ALUSCHEDULERSVC.EXE - delete or rename "luall.exe"
- ASHDISP.EXE - delete or rename "avast.setupsetup.ovr"
- EKRN.EXE - delete or rename "updater.dlleguiEpfw.dlleguiEmon.dllekrnEpfw.dllekrnEmon.dll"
- AVP.EXE - delete or rename "prupdate.ppl"
- AYAGENT.AYE - delete or rename "AYUpdate.aye"
- UFSEAGNT.EXE - delete or rename "SfFnUp.exeUfUpdUi.exe"
- AVGNT.EXE - delete or rename "preupd.exeupdate.exe"
- VSTSKMGR.EXE - delete or rename "vsupdate.dllmcupdate.exe"
- AVGRSX.EXE - delete or rename "avgupd.exeavgupd.exe"
Disables security software
Worm:Win32/Taterf.D overwrites the System Service Dispatch Table (SSDT) with an original copy read from disk. This action is performed in an attempt to disable security software that features real-time protection, or on-access detection of malware, which is reliant on the SSDT.
Steals online game data
The DLL component also detected as Worm:Win32/Taterf.D registers itself as a Browser Helper Object (BHO) that loads every time Internet Explorer is run.
It tries to log information about a user's account information when logging into the following websites:
- 12sky2.paran.com
- argo.mgame.com
- bm.ndoors.com
- clubaudition.ndolfin.com
- dekaron.gamehi.co.kr
- df.nexon.com
- dho.netmarble.net
- dragon.plaync.co.kr
- dragonnest.nexon.com
- droiyan.mgame.com
- elsword.nexon.com
- fifaonline.pmang.com
- hangame.com
- heroes.nexon.com
- iris.enpang.com
- karos.paran.com
- king.gamemania.co.kr
- knight.mgame.com
- login.netmarble.net
- maplestory.nexon.com
- netmarble.net
- nu.comgame.co.kr
- plaync.co.kr
- qplay.nexon.com
- raycity.pmang.com
- sp1.nexon.com
- suddenattack.netmarble.net
- tales.nexon.com
- tz.kr.gameclub.com
- wffm.mgame.com
- windyzone.com
- www.champagnemania.co.kr
- www.gersang.co.kr
- www.gptem.com
- www.nate.com
- www.on3.co.kr
- www.pmang.com
- yulgang.mgame.com
The collected information may be logged in the following files located in %windir%:
- fooolFN.dat
- dooorDF.dat
- fooolSP.dat
- fooolMJ.dat
- fooolRX.dat
- fooolLG.dat
- fooolTS.dat
- fooolFL.dat
- foool12.dat
- fooolSB.dat
- fooolZQ.dat
- fooolTZ.dat
- fooolYH.dat
- fooolHH.dat
- fooolC9.dat
- fooolTE.dat
- fooolSG.dat
- fooolKA.dat
- fooolQS.dat
- fooolHD.dat
- fooolAH.dat
- fooolJS.dat
- fooolIR.dat
- fooolQH.dat
Analysis by Shawn Wang
