Home / malware PWS:Win32/Kuoog.A
First posted on 29 March 2010.
Source: SecurityHomeAliases :
PWS:Win32/Kuoog.A is also known as Trojan-GameThief.Win32.WOW.xko (Kaspersky), W32/Malware.LLPP (Norman), Win32/TrojanDropper.Agent.OPC (ESET), Generic.dx!ong (McAfee), Win32/Wowpa.RB (CA), Trojan-GameThief.Win32.WOW.xmk (Kaspersky), Win32/PSW.OnLineGames.PAL (ESET), PWS-OnlineGames.c.dll (McAfee), Trojan.Win32.Generic!BT (Trend Micro).
Explanation :
PWS:Win32/Kuoog.A is a trojan that attempts to steal passwords and authentication details from popular online games.
Top
PWS:Win32/Kuoog.A is a trojan that attempts to steal passwords and authentication details from popular online games.
Installation
Once run, TrojanDropper:Win32/Kuoog.A drops the file 'emcor.dll' in the %temp% directory. This contains the functionality for the password-stealing payload. In order to launch the DLL at Windows startup, the following change is made to the registry:To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
With data: "%temp%\emcor.dll" Payload Steals online game details PWS:Win32/Kuoog.A specifically targets the online games Aion and World of Warcraft. It attempts to steal authentication details for these games and then sends the captured data to a page on the chouzhou.net domain. PWS:Win32/Kuoog.A checks for, and circumvents two-tier authentication. If detected, the malware hooks the authentication portion of the game. Once the user enters their details and their code from an external authenticator, they are prevented from logging into the game. The details and authentication codes are sent to the aforementioned site to be used in the required time interval for the authenticator. Additional information PWS:Win32/Kuoog.A creates the mutex 'DBWinMutex' to ensure that multiple copies of the trojan do not execute simultaneously.
Analysis by Matt McCormackLast update 29 March 2010