How to Detect and Remove the Trojan-GameThief.Win32.Taworm

1. What is the Trojan-GameThief.Win32.Taworm

Trojan-GameThief.Win32.Taworm is a Trojan horse that targets Windows operating systems. Trojan-GameThief.Win32.Taworm is able to propagate via unsolicited e-mails and malicious websites. On infiltrating a system, Trojan-GameThief.Win32.Taworm will download additional malware and negatively affect the performance of the infected machine. It is advisable to remove Trojan-GameThief.Win32.Taworm from an infected computer immediately after detection.

a. The following files were created in the system:

     c:\autorun.inf 

     %Temp%\apiqq.exe      c:\io3yalc.exe  ([file and pathname of the sample #1])

     %Temp%\apiqq0.dll      %Temp%\apiqq1.dll      %Temp%\apiqq2.dll

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

.

b. Registry Modifications  

• The following Registry Key was created:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN

• The newly created Registry Values are:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN]
    • urlinfo = "dfrhjre.m"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • api32 = "%Temp%\apiqq.exe"
    so that apiqq.exe runs every time Windows starts 

• The following Registry Value was modified:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    • CheckedValue =

c. Other details

• There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number 58.218.210.2080 80

• The data identified by the following URL was then requested from the remote web server:

  • http://www.baiduop0.com/1mg/am1.rar
  • http://www.baiduop0.com/1mg/am.rar

  2. How-to's

a. Please update the policy basic knowledge of Sax2  in time, Once  sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Trojan-GameThief.Win32.Taworm  Manually?

Step 1 : Remove the registry entries hidden by Trojan-GameThief.Win32.Taworm, once you find some programs on your PC run abnormally, you should immediately check the following entries in the Registry, and directly delete the spyware-related registry entries.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN]
  • urlinfo = "dfrhjre.m"
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  • api32 = "%Temp%\apiqq.exe"

Step 2 : Clean up IE Temporary file folder where the original carrier of PC threats is possibly stored. Meanwhile, the malicious files generated by Trojan-GameThief.Win32.Taworm.bho are possibly located in the following Location:C:\Windows\System32C:\Program Files\Common FilesC:\Documents and Settings

c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

3. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm