sobota 25. února 2012

PWS:Win32/OnLineGames.GP


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Mar 12, 2010

Aliases
  • Win-Trojan/Vilsel.24632.B (AhnLab)
  • Trojan.Win32.Vilsel.rtn (Kaspersky)
  • W32/Onlinegames.LHCI (Norman)
  • Trojan.PWS.OnLineGames.BKNB (VirusBuster)
  • PSW.OnlineGames3.ABBZ (AVG)
  • Trojan.PWS.Wsgame.17202 (Dr.Web)
  • Win32/PSW.OnLineGames.OQU (ESET)
  • Virus.Win32.OnLineGames (Ikarus)
  • PWS-OnlineGames.ha (McAfee)
  • Troj/GamPass-X (Sophos)
  • Infostealer.Gampass (Symantec)
  • TROJ_ONLINEG.SMA (Trend Micro)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.359.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.71.1533.0
Released: Dec 30, 2009


 

Summary

PWS:Win32/OnLineGames.GP is a detection for a trojan that steals account information for certain online games. It also infects particular files in order to automatically execute the trojan components.


 

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).


 

Technical Information (Analysis)

PWS:Win32/OnLineGames.GP is a detection for a trojan that steals account information for certain online games. It also infects particular files in order to automatically execute the trojan components.
Installation
This trojan may be downloaded and installed by other malware such TrojanDownloader:Win32/Chekafe.A or may be installed when visiting a malicious Web sites. The trojan may be present as the following files:
 
%temp%\<3 random letters>.tmp
%temp%\<5 random letters>.drv
%windir%\system\<3 random letters>.tmp
%windir%\system\<5 random letters>.drv
 
For example:
%temp%\ave.tmp
%temp%\fdkjl.drv
%windir%\system\ave.tmp
%windir%\system\fdkjl.drv
 
PWS:Win32/OnLineGames.GP modifies certain system files on the local computer. Example of files it tries to modify are the following files, also commonly related to DirectX library files:
 
dsound.dll
ddraw.dll
d3d9.dll
olepro32.dll
 
The target file is copied with a file extension .MOD or .REP as a temporary file:
 
<target file name>.mod  or
<target file name>.rep
 
A copy of the original file may be kept in the same folder as the following file name:
 
<target file name>.dll<5 random letters>  (for example, "dsound.dllXumDR")
 
When run, it creates the mutex name "__INF_<modified file name>__", for example "__INF_dsound.dll__".
 
The target file is modified to execute or load the dropped components having .DRV or .TMP file extensions, for example:
 
%temp%\ave.tmp
%temp%\fdkjl.drv
%windir%\system\ave.tmp
%windir%\system\fdkjl.drv
 
The modified DLL files are detected as variants of Virus:Win32/Patchstart or Virus:Win32/Patchload.
 
As a cleanup process, malware that installs this trojan creates a file named "delself.bat" in the Temporary folder in order to delete the executed copy of the malware installer.
Payload
Disables WFP
Some variants of this malware disable Windows File Protection (WFP) by modifying registry data.
 
Modifies value: "SFCDisable"
With data: "4294967197" ("0xFFFFFF9D")
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
 
Captures and sends data to a remote server
PWS:Win32/OnLineGames.GP searches the processes in memory related to several online games to find particular information, such as the following:
  • User name and password
  • Character information
  • Gold count  
 
The information is then sent to is then sent to a remote server. Example of file names the trojan monitors are:
  • PlayCHSLauncher.exe - Tower of Eternity
  • ElementClient.exe - Perfect World
  • DNF.exe - Dungeon & Fighter
Additional Information
Since several online games are likely to require DirectX components, the modified DirectX component automatically execute the malware upon the start of the online game.
 
Analysis by Elda Dimakiling

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.