Infostealer.Gamania

Printer Friendly Page

Discovered: June 16, 2006
Updated: June 16, 2006 11:13:15 AM
Infection Length: 61,440 bytes
Systems Affected: Windows

Infostealer.Gamania is a Trojan horse that attempts to steal sensitive information related to the Gamania Online game.

Antivirus Protection Dates

  • Initial Rapid Release version June 16, 2006
  • Latest Rapid Release version July 22, 2019 revision 001
  • Initial Daily Certified version June 16, 2006
  • Latest Daily Certified version July 22, 2019 revision 007
  • Initial Weekly Certified release date June 21, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.


Technical Description

Infostealer.Gamania is a Trojan horse that attempts to steal sensitive information related to the Gamania Online game.

When the Trojan is first executed, it creates following files:
%System%\Kerne0223.exe
%System%\Kerne0223.dll
%Windir%\SVCH0ST.EXE
%System%\aer4532gxa.dll, which is a copy of Infostealer.Lineage (MCID 4130)
[PATH TO TROJAN]\gg.bat
%System%\drivers\etc\hosts
c:\log.txt

The file %System%\drivers\etc\hosts contains the following information:
ibn.kbstar.com
banking.nonghyup.com
bank.nonghyup.com

Next, the Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\SoftWare\Microsoft\Windows\CurrentVersion\Run\"Kerne0223"="%System%\Kerne0223.exe"
HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%Windir%\SVCH0ST.EXE"

Then, the Trojan steals the Lineage online game password information.

When the user visits a Web site that contains the following URLs, the Trojan steals password information:
http://club.pchome.com.tw
http://gash.gamania.com/gash_loginform1.asp?Message =
http://tw.gamania.com/default.asp?user_locate =
http://tw.gamania.com/ghome/home_center.asp
http://tw.gamania.com/ghome/home_login.asp?Message =
http://tw.gamania.com/ghome/home_login.asp?user_locate=/ghome/home_center.asp
http://tw.gashcard.gamania.com/
http://www.gamania.com/ghome/home_center.asp
https://gash.gamania.com/gashinclude/top.asp
https://gash.gamania.com/gashindex.asp
https://gash.gamania.com/joinwithgama/
https://gash.gamania.com/openmainaccount/
https://gash.gamania.com/queryaccount/
https://tw.event.gamania.com/lineageevent/e20050502/index.asp
https://tw.event.gamania.com/lineageevent/modify_warehouse_pwd/index.asp
https://tw.gash.gamania.com/GASHLogin.aspx ?
https://tw.gash.gamania.com/UpdateMainAccountPassword.aspx
https://tw.gash.gamania.com/UpdateServiceAccountPassword.aspx ?
https://tw.gash.gamania.com/accountctr/changeservicepwd.asp
https://tw.gash.gamania.com/gashindex.asp
https://tw.gash.gamania.com/index.aspx
https://tw.gash.gamania.com/joinwithgama/
https://tw.goodlock.gamania.com/ShowNew.aspx
https://tw.goodlock.gamania.com/changeservicepwd.asphttps://tw.goodlock.gamania.com/index.aspx