Packer.Malware.NSAnti.1

( PWS:Win32/Frethog (OneCare) Trojan.Packed.NsAnti (Symantec) PWS-Gamania.gen.a (McAfee) Trojan.Nsanti.Packed (DrWeb) )

SYMPTOMS:

Unusual network activity.
IExplore.exe processes with hidden windows.
Presence of files with similar names as the one described.

TECHNICAL DESCRIPTION:

Packer.Malware.NSAnti.1 is the name for a generic detection of malicious packed PWS-Onlinegames trojans which attempt to steal password and user information for specific online games. These are usually downloaded by other malware or even by users when visiting malicious websites. These trojans also have the ability to download updated versions of themselves or other malware.

When launched for the first time, this malware copies itself in "%system32%\[name].exe" and also drops a file as "%system32%\[name][digit].dll"

[name] is usually a 4-letter string, usually: "amvo", "kavo", "kxvo", "mmvo", "tavo".

If "[name].exe" was "amvo.exe", "[name][digit].dll" would be "amvo0.dll" or "amvo1.dll"

 

The malware has worm functionality and copies itself in the root of removable devices and adds an "autorun.inf" file in order to be launched every time the device is accesed. Also, it adds a value in the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run in order to be launched every time the system is started.

Examples of games targeted by this malware are: Silkroad Online, KnightOnline, Lineage or Cabal Online.

 

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Dan Anton, virus researcher