Trojan-GameThief.Win32.Taworm

Bookmark and Share

1. What is the Trojan-GameThief.Win32.Taworm

Trojan-GameThief.Win32.Taworm is a Trojan horse that targets Windows operating systems. Trojan-GameThief.Win32.Taworm is able to propagate via unsolicited e-mails and malicious websites. On infiltrating a system, Trojan-GameThief.Win32.Taworm will download additional malware and negatively affect the performance of the infected machine. It is advisable to remove Trojan-GameThief.Win32.Taworm from an infected computer immediately after detection.

 

a. The following files were created in the system:

     c:\autorun.inf 

     %Temp%\apiqq.exe
     c:\io3yalc.exe  ([file and pathname of the sample #1])

     %Temp%\apiqq0.dll
     %Temp%\apiqq1.dll
     %Temp%\apiqq2.dll

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

.

b. Registry Modifications

 

  • The following Registry Key was created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN]
      • urlinfo = "dfrhjre.m"
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • api32 = "%Temp%\apiqq.exe"

      so that apiqq.exe runs every time Windows starts
  • The following Registry Value was modified:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
      • CheckedValue =

c. Other details

  • There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number
58.218.210.2080 80

  • The data identified by the following URL was then requested from the remote web server:

    • http://www.baiduop0.com/1mg/am1.rar
    • http://www.baiduop0.com/1mg/am.rar

 

2. How-to's

a. Please update the policy basic knowledge of Sax2  in time, Once  sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Trojan-GameThief.Win32.Taworm  Manually?

Step 1 : Remove the registry entries hidden by Trojan-GameThief.Win32.Taworm, once you find some programs on your PC run abnormally, you should immediately check the following entries in the Registry, and directly delete the spyware-related registry entries.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN]
    • urlinfo = "dfrhjre.m"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • api32 = "%Temp%\apiqq.exe"

Step 2 : Clean up IE Temporary file folder where the original carrier of PC threats is possibly stored. Meanwhile, the malicious files generated by Trojan-GameThief.Win32.Taworm.bho are possibly located in the following Location:
C:\Windows\System32
C:\Program Files\Common Files
C:\Documents and Settings

c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

 

3. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm