How to Detect and Remove the Trojan-GameThief.Win32.Taworm

Computers Articles | October 15, 2010

1. What is the Trojan-GameThief.Win32.Taworm Trojan-GameThief.Win32.Taworm is a Trojan horse that targets Windows operating systems. Trojan-GameThief.Win32.Taworm is able to propagate v...

1. What is the Trojan-GameThief.Win32.Taworm

Trojan-GameThief.Win32.Taworm is a Trojan horse that targets Windows operating systems. Trojan-GameThief.Win32.Taworm is able to propagate via unsolicited e-mails and malicious websites. On infiltrating a system, Trojan-GameThief.Win32.Taworm will download additional malware and negatively affect the performance of the infected machine. It is advisable to remove Trojan-GameThief.Win32.Taworm from an infected computer immediately after detection.

a. The following files were created in the system:

c:\autorun.inf

%Temp%\apiqq.exe
c:\io3yalc.exe ([file and pathname of the sample #1])

     %Temp%\apiqq0.dll
     %Temp%\apiqq1.dll
     %Temp%\apiqq2.dll

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

b. Registry Modifications

The following Registry Key was created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN

The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN]
  - urlinfo = "dfrhjre.m"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  - api32 = "%Temp%\apiqq.exe"
  so that apiqq.exe runs every time Windows starts

The following Registry Value was modified:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
  - CheckedValue =

c. Other details

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number 58.218.210.2080 80

The data identified by the following URL was then requested from the remote web server:
- http://www.baiduop0.com/1mg/am1.rar
- http://www.baiduop0.com/1mg/am.rar

2. How-to's

a. Please update the policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Trojan-GameThief.Win32.Taworm Manually?

Step 1 : Remove the registry entries hidden by Trojan-GameThief.Win32.Taworm, once you find some programs on your PC run abnormally, you should immediately check the following entries in the Registry, and directly delete the spyware-related registry entries.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN]
- urlinfo = "dfrhjre.m"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- api32 = "%Temp%\apiqq.exe"

Step 2 : Clean up IE Temporary file folder where the original carrier of PC threats is possibly stored. Meanwhile, the malicious files generated by Trojan-GameThief.Win32.Taworm.bho are possibly located in the following Location:
C:\Windows\System32
C:\Program Files\Common Files
C:\Documents and Settings

c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

3. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

Source: Free Articles from ArticlesFactory.com

ABOUT THE AUTHOR

I'm a network security export and found to dectect and resovle network security problems with intrusion software Sax2 is a good way. It can reslove many problems, such as ARP spoof, SQL Inject attacks, worms, backdor Trojans and so on.