čtvrtek 23. února 2012

PWS:Win32/OnLineGames.BX


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Oct 07, 2009

Aliases
  • Trojan-GameThief.Win32.Magania.cfef (Kaspersky)
  • W32/OnLineGames.KWIF (Norman)
  • Trojan.PWS.Magania.VIE (VirusBuster)
  • Win32/PSW.OnLineGames.NTR (ESET)
  • Infostealer.Gampass (Symantec)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.175.0
Released: Feb 22, 2012
Detection initially created:
Definition: 1.51.360.0
Released: Feb 06, 2009


 

Summary

PWS:Win32/OnLineGames.BX is a detection for a trojan that steals account information for certain online games and instant messaging applications. It logs the stolen account information by intercepting network traffic and monitoring specific APIs. It then sends the stolen information to a remote server.


 

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).


 

Technical Information (Analysis)

PWS:Win32/OnLineGames.BX is a detection for a trojan that steals account information for certain online games and instant messaging applications. It logs the stolen account information by intercepting network traffic and monitoring specific APIs. It then sends the stolen information to a remote server.
Installation
PWS:Win32/OnLineGames.BX may be dropped and installed by other malware, for example, PWS:Win32/OnLineGames.BX.dr.
Payload
Steals Account Information
PWS:Win32/OnLineGames.BX is loaded when applications try to use the Windows Socket functions. It attempts to intercept network connections, and receive, send, and close operations if the process name is any of the following:
 
AClient.exe
client.exe
ElementClient.exe
Game.bin
Game.exe
Lin.bin
MapleStory.exe
Ragexe.exe
RagFree.exe
Ragnarok.exe
ZodiacOnline.exe
 
Most of these processes are associated with online games.
 
PWS:Win32/OnLineGames.BX tries to intercept the 'CryptEncrypt' and 'CryptDecrypt' APIs and network connection operations if the process name is any of the following:
 
_BeanFunCore.exe
iexplore.exe
msnmsgr.exe
YahooMessenger.exe
 
Most of these processes are associated with instant messaging and other online applications.
 
It then filters the intercepted network traffic to log information, including the following:
 
  • Account name
  • Password
  • Login server
 
PWS:Win32/OnLineGames.BX then sends the logged information to a remote server. One remote server it has been observed to send information to is'ccaatt.com'.
 
Analysis by Shawn Wang

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.