Manual descriptionAuto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.
Manual descriptionAuto description
This is a description which has been automatically generated following analysis of this program on a test machine. This description may contain incomplete or inaccurate information.
Technical Details Payload Removal instructions
Technical Details
A trojan program that installs and launches other software on the infected computer without the user's knowledge. It is a Windows application (PE-EXE file). 231124 bytes. Written in C++.
Payload
After launching, the trojan searches for the launched process named:
Garss.exe
If this process has been launched, the trojan terminates its implementation. The trojan then retrieves the file saved in the temporary file directory under the following name from its body:
%Temp%\<rnd>_res.tmp
where rnd is a random digital sequence. It then moves this file and saves it under the following name:
%Documents and Settings%\QQCRT.DLL
The file is 22154588 bytes and is detected by Kaspersky Antivirus as Trojan-GameThief.Win32.Magania.erpe. The trojan also moves the system file:
%System%\rundll32.exe
to
C: \Program Files\Garss.exe
Then, using the command line, it launches the malicious library for execution:
C:\Program Files\Garss.exe "C:\Documents and Settings\QQCRT.DLL" Main
To start up the malicious library, the trojan modifies the "BITS" system service. The trojan therefore creates and launches a system registry file under the following name:
C:\1.reg
after which the following information is added to the system registry:
[HKLM\System\CurrentControlSet\Services\BITS]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
"DisplayName"="Background Intelligent Transfer Service (BITS)"
"DependOnService"=hex(7):52,70,63,53,73,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Ensures the transfer of data between clients and severs in the background. If the BITS service is disabled, options such as Windows Update will not work properly."
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,68,e3,0c,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00
[HKLM\System\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll"="%Documents and Settings%\QQCRT.DLL"
After launching, the "1.reg" file is deleted. The trojan also searches for the following antivirus processes:
RsTray.exe
360tray.exe
and runs active resistance to anti-virus applications in separate strings. The trojan may also copy its executable file under the following name:
C:\Program Files\QQ.EXE
It creates a file entitled:
C:\LoadLibrary.exe
which may also be moved by the trojan and saved under the following name:
%Documents and Settings%\%Current User%\Main menu\X.exe
The file is 36752 bytes. The trojan uses this file to launch the malicious library. It retrieves the following certificate from its body and installs this:
%WinDir%\Windows.cer – which is 590 bytes.
After its implementation, the trojan deletes itself.
Removal instructions
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
Stop running the "BITS" service.
Delete the following file:
%Documents and Settings%\QQCRT.DLL
Restore the "ServiceDll" parameter value for the system registry key:
[HKLM\System\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll"="%Documents and Settings%\QQCRT.DLL"
Makes copies of itself with the following names once launched:
Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\QQ.EXE
Creates the following files on an infected computer:
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\131468_res.tmp
(Kaspersky Anti-Virus detects as Trojan-GameThief.Win32.Magania.erpe)
Directory of users' settings%Documents and Settings%\QQCRT.DLL
(Kaspersky Anti-Virus detects as Trojan-GameThief.Win32.Magania.erpe)
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\163312_res.tmp
C:\LoadLibrary.exe
Windows directory (usually, C:\Windows)%Windir%\Windows.cer
Current user directory (usually, C:\Documents and Settings\) %UserDir%\Start Menu\X.exe
Malicious activity
Creates the following files:
Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Garss.exe
Launches files shown below for execution:
Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Garss.exe
Other activities
Runs the following files (commands):
Windows system directory (usually, C:\Windows\System32) %System%\rundll32.exe cryptext.dll,CryptExtAddCER
Windows directory (usually, C:\Windows)%Windir%\Windows.cer
Searches for the following windows:
Class:
#32770
Title
Deletes the following files on an infected computer:
<path to source program><file of source program >
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\131468_res.tmp
Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\163312_res.tmp
C:\LoadLibrary.exe
НОВОЕ НА САЙТЕ
23 апреля 2024 года
Обращаем внимательность на дальнейшее обновление пасмурной версии песочницы Dr.Web vxCube, в взаимоотношения с чем 24 апреля с 13:00 перед началом 14:00 по столичному времени обслуживание будет недоступен для использования.
В составе песочницы будет обновлена документация — описание работы обслуживания будет снова на... Антивирус Dr.Web
Бизнес-школа «БИЗНЕС ИНСАЙТ» и проект «ЭКСПЕРТЫ» приглашают на III Всероссийский онлайн-форум «БИЗНЕС. ВЕСНА 2024». Бизнес-форум — важнейшее событие в мире бизнеса. На одной площадке соберутся действующие предприниматели, эксперты-практики, чтобы поделиться […]
В 2023 году самыми всераспространенными Android-угрозами стали троянские программы, демонстрирующие рекламу. Шпионские троянские приложения по уподоблению с прошлым годом понизили свою энергичность таково словно стали вторыми по числу детектирований на защищаемых антивирусом Dr.Web устройствах. невзирая на то, словн... Вирусные новости
11 апреля 2024 года
Компания «Доктор Веб» 4 апреля сообщила о выпуске обновления для продуктов линейки Dr.Web Enterprise Security Suite, сертифицированных ФСТЭК России.
Компания «Доктор Веб» информирует о выпуске обновления Dr.Web Desktop Security Suite (для Windows), Dr.Web Server Security Suite (для Windows), Dr.Web Mail Security Suite (для MS Exchange) так как Агента Dr.Web для Windows в составе сертифицированного ФСТЭК нашей родины Dr.Web Enterprise Security Suite (сертификат соответствия №3509). В рамках ... Антивирус Dr.Web