OK.....we all know that trojan and keyloggers are a pain in the a$$...well the trojan that I am going to talk about is called Magic_PS_1.5,Well.....1st we are going to look and see if your infected with it...(If you dont use Yahoo messenger then you probally arent infected with it.)

Ok the 1st thing you need to do is press ctrl+alt+del(control+alt+delete) if it says "Task mamager has been disabled by the administrator" and you are the administrator you are probally infected.
2nd. If you goto start---->run---->regedit and press enter and it says "Regedit has been disabled by the administrator" and you are the administrator then you are probally infected.
3rd and finally ...log on to yahoo messenger and see if a small window opens and closes to fast for you to read what it says...then you are surely infected..

~removal~

Ok....most anti-virus's wont catch this trojan...if you open it up it may look like a regular program because it has an option to where you can bind it to another program.(when you open it it will open a pic,program,anything the person who sent it to you want it to appear to look like he sent you) The reason why it is like this is because the person who sent it to you dosent even want you know that you have opened a trojan......
This trojan when opened actually copies itself in 3 diffrent places in your computer,and it isnt in yahoo,its in your startup folder...

The best way to get rid of it is to follow these steps:

***ok since it starts up on start-up.....all we have to do to get rid of it is...***

1. Click Start.
2.Click Run.
3.Type Msconfig.
4.Click on the Start-up tab.
5.Find the startup item.
6.Un check the box beside it.
7.Change your Yahoo password.
8.Your all done!

Please post your questions or comments by clicking the "reply" button........If this has helped you at all please let me know!

*** Written by:***
Demetrius Crisco

Hi Demetrius,

Thanks for the efforts for anyone who encounters this trojan. If you have a sample please check it with TDS-3 or submit it to submit@diamondcs.com.au ? I remember this ones name and have quite a few versions

All you have done this way is preventing the trojan to start on windows startup. You still have to remove some files.

True.....But...If you can just make it not startup then you wont even have to worry about removing it...But yea I should post how to get it off.....but I would then have to infect myself with it again and see how to do it again.....The next post I make will be how to get it off !

Magic-PS is a key logger that only affects Yahoo Messenger users. It's purpose it to log and send the user's password to another Yahoo Chat member through a private message sent by the victim's Yahoo Messenger. It disables Yahoo Messenger's Save Password feature, so you are required to type in the password. Signs of infection include a fast Yahoo Messenger private message window that opens and closes uplon login.

Removel:
Please note that the removal of Magic PS differs depending on the options the attacker choose: Disable Taskmgr xp-2k, Disable regedit, and Disable Msconfig. I will try to cover everything.

Step 1- Look for suspicious processes
Magic PS has a default filename list that users can choose from within the program that generates the key logger.

regsvr.exe spool_32.exe spool_32.exe svchost .exe
winzip_32.exe MsTask .exe winzip_try.exe spoolsvr.exe
ExpIorer.exe taskmgr_32.exe system_32.exe intranet.exe
norton.exe regclean.exe starter .exe iexpIore.exe
regscan_32.exe osa .exe

Note that these are just the default names. The user can choose any filename he wants. In this case, you will have to rely on other means of detecting it. If your Task Manager is enabled, look for a process that is running under your Windows user account that is using about 3,416k in memory. This alone doesn't mean it is Magic PS, however.

To make sure the suspected process is in fact Magic PS, you should run a memory editor on the process. I suggest WinHack 2 (Admin note - We had to remove this link as it pointed to a site that can not be linked from Wilders, per our TOS. People wanting to follow the advice in this post will have to find a process dump / viewer tool on their own to do so. Please use caution looking for such tools. Malware may very well be contained in kits promising to be that type of tool. LWM) Extract the contents of winhack2.zip and open WinHack2.exe. Under the Edit a Game's Memory tab, you will see a Process drop down box with currently running processes. Choose the process that took about 3,416k in memory and click on the Edit Memory tab. You will see a search box, enter: magic-ps. If found, this is the right process. Close it with Task Manager, if enabled. If the Task Manager is disabled, you will have to use a third-party process viewer/terminator. You can download one at http://www.nesoft.org/terminator/term.exe. N... that you need to close the process before you can delete Magic PS.

Step 2- Removing Magic PS
After the Magic PS process is closed, click on the Start Menu, go to Search, and click on For Files and Folders. Click on the All files and folders button. Enter "Magic_w" without the quotes in the A word or phrase in the file text box and click search. Delete all entries.

Step 3- Fixing taskmanager, regedit, and msconfig
http://is-it-true.org/nt/xp/registry/rtips23.shtml

Thanks Sapient For all the help!


***Demetrius Crisco***

<snipped, keep it friendly - Pieter> that's not how the Magic PW stealer works. It simply reads two registry strings like this

Dim gpwrd As New YCrypto
Set gpwrd = New YCrypto
Dim username As String
gpwrd2 = ReadKey("HKEY_CURRENT_USER\Software\Yahoo\Pager\EOptions String")
username = ReadKey("HKEY_CURRENT_USER\Software\Yahoo\Pager\Yahoo! User ID")
gpwrd.Init 1, 0, username
Text2.Text = gpwrd2
Text1.Text = ReadKey("HKEY_CURRENT_USER\Software\Yahoo\Pager\Yahoo! User ID")

it decrypts them using a user control and sends them back to the author of the "fake booter" most likely, this is not a harmful program, I wouldnt worry about it. It is mainly used by lamers on yahoo who steal Illegal Yahoo accounts. You know, those accounts on yahoo you cannot make anymore "_____godess______" , "gode$$" etc.....

but thats how it works, thats actually code from it :>

How can i get this Trojan ? I want to have it
Thanks alot

{QUOTE-> quoting: hoang link=board=30;threadid=21396;start=0#msg144367 date=1079312728]
How can i get this Trojan ? I want to have it
Thanks alot

<-QUOTE}

Have a look at our TOS - unless contacts you in private, such an info will not be revealed/allowed over here ;)

regards.

paul

I didn't have password. How can i get it ?
Anyone can help me
Thanks alot

{QUOTE-> quoting: minhhoang link=board=30;threadid=21396;start=0#msg146434 date=1079682663]
I didn't have password. How can i get it ?
Anyone can help me
Thanks alot

<-QUOTE}

No use in using different guest names here - you will not get it publicly on this board - period.

regards.

paul

i have been infected by this annoying password stealer trojan. I am bit illiterate so can someone try to help me on how to get rid of this in laymans terms. By following the steps in here (THANKS A LOT GUYS) i can now use ctrl alt delete but i think i am still infected. I cannot find the magic_w in the search so i probably still have it. please contact me to help me out please. The hacker has gone through my email and is blackmailing me. HELP PLS. PS..my computer is close to be real crazy as all of my documents has turned into dll. Can someone help me with that too? or these are all connected to each other?

Hi bedspacer :)

Welcome to Wilders.

It is policy to register as a member first before u do the following,

Please follow the instructions here,

http://www.wilderssecurity.com/showthread.php?t=15913

then post your HijackThis log in the hijack cleaning forums with a full description of your problem and one of the experts will give u recommendations on any Malware found.

I repeat, u must register first before u can post in the hijack cleaning forum.


snowbound

I have exactly the same symptoms as demetrius mentioned. Tried to locate winhack2.exe but are afraid that I might get malware instead (there's quite a few download sites for this prog).

I can re-enable taskmgr and kill the suspected process basing on the 3416k process (svchost.exe). I've done a search for the string magic_w on find files but it reports no files found.

Any thoughts?

TDS-3 should detect it, if nothing is detected with the latest databases email support and I will help you find and kill it :)

Thanks Gavin. Got another thread going so maybe we'll just continue it there... Z
http://www.wilderssecurity.com/showthread.php?t=36678