Threat Description

Trojan-PSW:W32/Magania

Details

Aliases: Trojan-PSW:W32/Magania, Trojan-PSW:W32/Magania, Packer.Malware.NSAnti.D, Packer.Malware.NSAnti.J trojan-gamethief.win32.magania, PWS:Win32/Frethog.gen!H (Microsoft)
Category: Malware
Type: Trojan-PSW
Platform: W32

Summary


This type of trojan steals passwords and other sensitive information. It may also secretly install other malicious programs.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


Trojan-PSW:W32/Magania is a large family of login/password stealing trojans that are reportedly made in China. The main purpose of the trojan is to steal logons and passwords from users who play on-line games, provided by Gamania.It should be noted that some on-line games allow users to sell their character's possessions for real cash, so the motivation behind the creation of such trojans is to steal virtual goods and to convert those goods into real-world cash.

Distribution

These trojans are usually distributed in file attachments to e-mail messages spammed out to victims by hackers. The file attachment is typically a single executable program. In most cases such an attachment is a self-extracting RAR archive that contains at least one more embedded archive. In one of these archives there's always a Magania trojan.

Installation

Once the infectious attachment is run, it usually displays an image as a decoy. At the same time the trojan's payload is activated. The trojan installs itself to the system by copying itself to one of the Windows subfolders or to the Windows System folder. It then drops a DLL file that represents the main spying component. The trojan registers the dropped DLL as a component of Internet Explorer, so it always has access to the Internet and can monitor URLs that are visited in the browser.

Activity

With the stolen information a hacker can logon onto a game using the stolen credentials and manipulate someone's game character. For example, the hacker can transfer valuable items that someone's character possesses to a secret location, where they can be picked up by another character, played by the hacker. Some hackers sell the stolen information to the highest bidder.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More