Home / malwarePDF  

Trojan.KillAV.RS


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.KillAV.RS is also known as Trojan.PWS.Wsgame.19083, Win32/Frethog.GIO, PWS.OnlineGames3.AELK.

Explanation :

When executed it will perform the following actions:

Stops and deletes the cryptsvc (Microsoft's cryptographic service) service, so the system won't be able to verify the digital signatures or integrity of files. Windows Update and Windows File Protection will also be unable to work without this service.

Saves the original %SysDir%ksuser.dll into %SysDir%sksuser.dll and copies his own dll into %SysDir%ksuser.dll.

It will search for game installation directories on every FAT32 or NTFS partition. It will search through running processes, processes with the name ending in game.exe. It will enumerate the content of the SOFTWAREMicrosoftWindowsCurrentVersionApp Paths registry key to retrieve the paths of executables with the name containing the string game.exe. Then it drops his own ksuser.dll in the found directories to be loaded when the game starts.

The infected ksuser.dll has an overlay of 288 bytes which contains two encrypted links:
http://003[removed].cn/zhu/post.asp
http://003[removed].cn/008/post.asp

The malware will send game information such as username or password to the following url:
http://003.[removed].cn/zhu/mibao.asp

It also will take screenshots about the desktop and application windows such as Internet Explorer or Windows Picture and Fax Viewer. The pictures will be saved in %SysDir%dllcache and will be sent to: http://003.[removed].cn/zhu/post.asp

The trojan deletes itself after the next reboot.

Last update 21 November 2011

 

TOP