Home / malwarePDF  

Trojan.PWS.OnlineGames.KDKC


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.PWS.OnlineGames.KDKC is also known as Trojan-GameThief.Win32.Magania.dihe, Trojan.PWS.Gamania.24496, Win32:OnLineGames-FTA.

Explanation :

This malware belongs to the widespread "OnlineGames" password stealer family. When run, it creates an "autorun.inf" file in the root directory of every drive detected, which points to a hidden copy of the virus named "hvoxmq.exe". If the drive is shared across the network then other remote computers can be infected any time they try to access this share.

It also copies itself in "%windir%system32" as "post.exe", where it drops a dll under the name "post[number].dll". The dll is injected in the memory space of "explorer.exe", after which the dll is loaded in other processes. A component of the dll tries to steal passwords, by keylogging, from games like "Maplestory", "Gash", "Lineage", "Goodluck", and sends the data to some previously known ip addresses. It also tries to disrupt the activity of some local antivirus monitors or antivirus updaters.

The malware also modifies the following registry entries:

"HKCUSoftwareMicrosoftWindowsCurrentVersionRunpostos"->"%WINDIR%system32post.exe", which will run the malware on every system startup"HKCUSoftwareMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALL"->"0",which makes Windows Explorer stop showing hidden files

The persistence of the virus is assured by the loaded dll, as well as the "autorun.inf" files, and by the autorun registry entry.

Last update 21 November 2011

 

TOP