Win32/PSW.OnLineGames [Threat Name] go to Threat

Win32/PSW.OnLineGames.NNU [Threat Variant Name]

Category trojan
Size 118853 B
Detection created Apr 07, 2008
Detection database version 10979
Aliases Trojan-GameThief.Win32.Magania.cepk (Kaspersky)
  Worm:Win32/Taterf.B (Microsoft)
  Trojan.Horse (Symantec)
Short description

Win32/PSW.OnLineGames.NNU is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan copies itself into the %temp% folder using the following name:

  • herss.exe (118853 B)

The following file is dropped in the same folder:

  • cvasds%number%.dll (77799 B)

The variable %number% represents a randomly generated number in the range 0-9 .


Libraries with the following names are injected into all running processes:

  • %temp%\­cvasds%number%.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "cdoosoft" = "%temp%\­herss.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun" = 91
Spreading

The trojan copies itself into the root folders of fixed and/or removable drives using one of the following file names:

  • t2hjo0.exe
  • r2g20.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the trojan ensures it is started each time infected media is inserted into the computer.

Information stealing

The trojan collects various information related to online computer games.


The trojan gathers information related to the following processes:

  • ageofconan.exe
  • cabalmain.exe
  • client.exe
  • dekaron.exe
  • dofus.dll
  • gameguard.des
  • gw.exe
  • knightonline.exe
  • lotroclient.exe
  • maplestory.exe
  • metin2.bin
  • neuz.exe
  • pol.exe
  • sro_client.exe
  • turbinelauncher.exe
  • wow.exe

The trojan is able to log keystrokes.


The trojan can send the information to a remote machine.


The HTTP protocol is used.

Other information

The trojan interferes with the operation of some security applications to avoid detection.


The following programs are terminated:

  • ALUSCHEDULERSVC.EXE
  • ASHDISP.EXE
  • AVGNT.EXE
  • AVGRSX.EXE
  • AVP.EXE
  • AYAGENT.AYE
  • CCSVCHST.EXE
  • EKRN.EXE
  • LIVESRV.EXE
  • UFSEAGNT.EXE
  • VCRMON.EXE
  • VSTSKMGR.EXE

The trojan can download and execute a file from the Internet.


The trojan contains a list of (5) URLs.


It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.