Trojan-PSW:W32/Magania

Classification

Category :

Malware

Type :

Trojan-PSW

Aliases :

Trojan-PSW:W32/Magania, Trojan-PSW:W32/Magania, Packer.Malware.NSAnti.D, Packer.Malware.NSAnti.J trojan-gamethief.win32.magania, PWS:Win32/Frethog.gen!H (Microsoft)

Summary

This type of trojan steals passwords and other sensitive information. It may also secretly install other malicious programs.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan-PSW:W32/Magania is a large family of login/password stealing trojans that are reportedly made in China. The main purpose of the trojan is to steal logons and passwords from users who play on-line games, provided by Gamania.It should be noted that some on-line games allow users to sell their character's possessions for real cash, so the motivation behind the creation of such trojans is to steal virtual goods and to convert those goods into real-world cash.

Distribution

These trojans are usually distributed in file attachments to email messages spammed out to victims by hackers. The file attachment is typically a single executable program. In most cases such an attachment is a self-extracting RAR archive that contains at least one more embedded archive. In one of these archives there's always a Magania trojan.

Installation

Once the infectious attachment is run, it usually displays an image as a decoy. At the same time the trojan's payload is activated. The trojan installs itself to the system by copying itself to one of the Windows subfolders or to the Windows System folder. It then drops a DLL file that represents the main spying component. The trojan registers the dropped DLL as a component of Internet Explorer, so it always has access to the Internet and can monitor URLs that are visited in the browser.

Activity

With the stolen information a hacker can logon onto a game using the stolen credentials and manipulate someone's game character. For example, the hacker can transfer valuable items that someone's character possesses to a secret location, where they can be picked up by another character, played by the hacker. Some hackers sell the stolen information to the highest bidder.