Home / malwarePDF  

PWS:Win32/Tidola.A


First posted on 16 March 2009.
Source: SecurityHome

Aliases :

There are no other names known for PWS:Win32/Tidola.A.

Explanation :

Win32/Tidola is a family of trojans that may consist of several components, and may be used to facilitate the operation of other malware that targets online games (such as Win32/Helpud).

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following file:
    %system%
    0<random 4 numbers>.exe (for example r05013.exe)


    • Win32/Tidola is a family of trojans that may consist of several components, and may be used to facilitate the operation of other malware that targets online games (such as Win32/Helpud).

    Installation
    When executed, Win32/Tidola's executable component (detected as TrojanDropper:Win32/Tidola.A) copies %system%
    undll32.exe to %system%
    0<random 4 numbers>.exe (for example r05013.exe) and drops a DLL to %temp%~<random 6 Numbers> (this file may be detected as PWS:Win32/Tidola.A). The DLL is then executed using the previously created copy of %system%
    undll32.exe.

    Payload
    Modifies Hosts File
    The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). In this case, Tidola modifies the hosts file to stop users from accessing particular sites associated with online gaming. Tidola modifies the hosts file in order to redirect the affected user's attempts to connect to the following sites:
    passport.wanmei.com
    reg.163.com
    sde.game.sohu.com
    account.ztgame.com
    pwd.sdo.com
    reg.91.com
    pass.kingsoft.com
    passport.yuyan.com Steals Online Game Details
    Tidola is directly or indirectly responsible for stealing online game details for online games based in China.

    Analysis by Matt McCormack

    Last update 16 March 2009

     

    TOP

    Malware :

    Family: