sobota 25. února 2012

PWS:Win32/Zuten


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Jun 03, 2008

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.332.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008


 

Summary

Win32/Zuten is a family of malware that steals information from online games.


 

Symptoms

System Changes
There are no obvious system changes that may indicate the presence of PWS:Win32/Zuten.


 

Technical Information (Analysis)

Win32/Zuten is a family of malware that steals information from online games.
Installation
When executed, if the targeted game is running, Win32/Zuten terminates the game's process. The main executable then drops a DLL component with a random filename and loads it. The dropper then deletes itself.
 
When loaded, the DLL component may drop a second DLL, which is used to hide files, and a driver which is used to terminate processes.
Payload
Steals Sensitive Information
The Win32/Zuten family steals information related to online games. It accomplishes this by injecting a DLL into the targeted game process and patching API calls. The collected game information is then posted to a remote website. Some of the games targeted by Win32/Zuten include the following:
 
MapleStory
ZhengTu
Perfect World
Legend of Mir
Ruler of the Land
Rainbow Island
Eudemons Online
Fantasy Westward Journey
 
Terminates Processes
Variants of Win32/Zuten usually search for and terminate processes related to security products, including the following (for example):
 
avp.exe
RavMon.exe
360Tray.exe
360Safe.exe
killer_Gdwli32.exe
QQDoctor.exe
 
Uses Advanced Stealth
Variants of Win32/Zuten may drop a DLL component that is used to hide files associated with the trojan. This DLL may be detected as VirTool:WinNT/Zuten.
 
Analysis by Ray Roberts

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.