Submission Summary:

• Submission details:
• Submission received: 22 June 2009, 15:44:03
• Processing time: 10 min 1 sec
• Submitted sample:
• File MD5: 0x4AA78D41E8F2EC2B4E762B2E4E2A8BA2
• File SHA-1: 0x8F28D04366757E8C428EB7F608C864D16738F8C6
• Filesize: 116,125 bytes
• Alias:
• Trojan.Lineage.Gen!Pac.3 [PCTools]
• W32.Gammima [Symantec]
• Trojan-GameThief.Win32.OnLineGames.lqa [Kaspersky Lab]
• PWS-Gamania.gen.a [McAfee]
• Mal_NSAnti-1 [Trend Micro]
• Mal/EncPk-CE [Sophos]
• PWS:Win32/OnLineGames [Microsoft]
• Trojan-GameThief.Win32.OnLineGames [Ikarus]
• Win-Trojan/MalPacked.Gen [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-PWS.OnlineGames!ct	Trojan-PWS.OnlineGames!ct steals password information associated with popular online games.
Rootkit.Agent.QV	Rootkit.Agent.QV injects rootkit components into Windows processes and attempts to hides itself from detection. It also made changes to Windows Explorer settings and download other malicious files from external servers.
Rootkit.Agent.YYF	Rootkit.Agent.YYF injects rootkit components into Windows processes and attempts to hides itself from detection. It also made changes to Windows Explorer settings and download other malicious files from external servers.

• Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A hacktool that could be used by attackers to break into a system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\autorun.inf	260 bytes	MD5: 0x1743D2188DEB14870A65908BF214CAC3 SHA-1: 0x4A5597E35576CB90174DC622017B84A4AF9E0661	INF.Autorun.Gen [PCTools] Infostealer.Gampass [Symantec] Worm.Win32.AutoRun.bdl [Kaspersky Lab] Troj/OnLineG-AI [Sophos] Worm.Win32.AutoRun [Ikarus]
2	%Temp%\31qsmqg1.sys	21,924 bytes	MD5: 0x04792373FB8F10E6DFF4922A0A9516BD SHA-1: 0x1C0D705F298241093CAB479F3DFFF755359EF32B	Rootkit.Vanti.Gen [PCTools] Hacktool.Rootkit [Symantec] Trojan-GameThief.Win32.OnLineGames.sgyr [Kaspersky Lab] Mal/RootKit-A [Sophos] VirTool:Win32/Vanti.gen!A [Microsoft] Rootkit.Win32.Vanti.gz [Ikarus] Win-Trojan/MalDbgDrv.Gen [AhnLab]
3	%Temp%\dsm7b.dll	31,286 bytes	MD5: 0xCFC8D9C38E615070698EC27B7EC8D81C SHA-1: 0x8F592452A315208D713BD29F90A11173395B042A	Trojan-PWS.OnlineGames!ct [PCTools] Hacktool.Rootkit [Symantec] Trojan-GameThief.Win32.OnLineGames.maa [Kaspersky Lab] PWS-Gamania.gen.a [McAfee] Mal/EncPk-CE [Sophos] PWS:Win32/OnLineGames [Microsoft] Packed.Win32.NSAnti [Ikarus] Win-Trojan/OnlineGameHack.31286.B [AhnLab]
4	c:\erdeIect.com %System%\kavo.exe [file and pathname of the sample #1]	116,125 bytes	MD5: 0x4AA78D41E8F2EC2B4E762B2E4E2A8BA2 SHA-1: 0x8F28D04366757E8C428EB7F608C864D16738F8C6	Trojan.Lineage.Gen!Pac.3 [PCTools] W32.Gammima [Symantec] Trojan-GameThief.Win32.OnLineGames.lqa [Kaspersky Lab] PWS-Gamania.gen.a [McAfee] Mal_NSAnti-1 [Trend Micro] Mal/EncPk-CE [Sophos] PWS:Win32/OnLineGames [Microsoft] Trojan-GameThief.Win32.OnLineGames [Ikarus] Win-Trojan/MalPacked.Gen [AhnLab]
5	%System%\kavo0.dll %System%\kavo1.dll	89,088 bytes	MD5: 0x03AA1F14106763666D88356C3A430B2B SHA-1: 0x91C80C7339DA433DA5FF7730FC7AD9ED460A7F34	Trojan.Lineage.Gen!Pac.3 [PCTools] Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.OnLineGames.mje [Kaspersky Lab] PWS-LegMir.dll [McAfee] Mal_NSAnti-1 [Trend Micro] Troj/Lineag-Gen, Mal/EncPk-CE [Sophos] Worm:Win32/Taterf.C.dll [Microsoft] Trojan-GameThief.Win32.OnLineGames [Ikarus] Win-Trojan/KorGameHack.89088 [AhnLab]

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	229,376 bytes
iexplore.exe	%ProgramFiles%\Internet Explorer\iexplore.exe	102,400 bytes
kavo.exe	%System%\kavo.exe	229,376 bytes

• Notes:
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

• The newly created Registry Value is:
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• kava = "%System%\kavo.exe"

so that kavo.exe runs every time Windows starts

Other details

• The following Internet download was started (the retrieved bits are saved into the local file):