How to Detect and Remove the Trojan-GameThief.Win32.Taworm

1. What is the Trojan-GameThief.Win32.Taworm

Trojan-GameThief.Win32.Taworm is a Trojan horse that targets Windows operating systems. Trojan-GameThief.Win32.Taworm is able to propagate via unsolicited e-mails and malicious websites. On infiltrating a system, Trojan-GameThief.Win32.Taworm will download additional malware and negatively affect the performance of the infected machine. It is advisable to remove Trojan-GameThief.Win32.Taworm from an infected computer immediately after detection.
a. The following files were created in the system:

c:\autorun.inf

%Temp%\apiqq.exe
c:\io3yalc.exe ([file and pathname of the sample #1])

%Temp%\apiqq0.dll
%Temp%\apiqq1.dll
%Temp%\apiqq2.dll

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

.
b. Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN]
+ urlinfo = "dfrhjre.m"
o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
+ api32 = "%Temp%\apiqq.exe"

so that apiqq.exe runs every time Windows starts
* The following Registry Value was modified:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
+ CheckedValue =

c. Other details

*

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number
58.218.210.2080 80

*

The data identified by the following URL was then requested from the remote web server:
o http://www.baiduop0.com/1mg/am1.rar
o http://www.baiduop0.com/1mg/am.rar
2. How-to's

a. Please update the policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan-GameThief.Win32.Taworm Manually?

Step 1 : Remove the registry entries hidden by Trojan-GameThief.Win32.Taworm, once you find some programs on your PC run abnormally, you should immediately check the following entries in the Registry, and directly delete the spyware-related registry entries.

* [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN]
o urlinfo = "dfrhjre.m"
* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
o api32 = "%Temp%\apiqq.exe"

Step 2 : Clean up IE Temporary file folder where the original carrier of PC threats is possibly stored. Meanwhile, the malicious files generated by Trojan-GameThief.Win32.Taworm.bho are possibly located in the following Location:
C:\Windows\System32
C:\Program Files\Common Files
C:\Documents and Settings
c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.
3. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm