[INFO] AnalystName=Andrei Brasoveanu AnalystEMailID=brasoveanua@comodo.com Team=Romania Date=18-JAN-2010 Type=TrojWare Platform=Win32 SubType=GameThief Family=Magania Variant= [OVERVIEW] Win32.Magania (also known as Win32.Gamania) belongs to the login/password-stealing malware. Their main purpose is to steal login names and passwords from the users who play online games provided by Gamania Digital Entertainment Co., Ltd. [TECHNICAL_DESCRIPTION] In most of the cases, Win32.Magania has the following behaviour: It creates an executable file that serves as a login/password stealing component on the targetet computer. Usually, this file can be located either in sub directories under the Windows folder (such as System or System32, depending on O.S. version) or in sub-directories under the Documents and Settings folder (such as %appdata%, %temp%). It can also create a new folder (usually under the Windows directory), rename this folder into something very common, such as "Install" and then generate the executable file inside. The exe file makes use of a very good camouflage by taking pseudo-legitimate names as "Service(s).exe", "System32(s).exe", "Svchost(s).exe". This executable file will remain active in the background, waiting for the unaware user to enter his/her online games login credentials. It creates a DLL file, the second component; there aren't any predefined locations for this file, since it can be generated anywhere on the hard-drive. The .DLL is registered, loaded and executed and its main purpose is to create a backdoor into the system, thus allowing hackers the opportunity to access the desired (but stolen) information. It can also add a third component, by registering a random generated name .sys file in the "Drivers" folder under the %system% directory, thus resulting in rootkit activity which helps the attacker to maintain the access to the computer and use it for other malicious purposes. [SYMPTOMS] There aren't any "visible" symptoms, since every step from above is executed "silent", without the user's knowledge. [DISINFECTION] Install and scan with Comodo AntiVirus to remove these threats.