Home / malware Trojan.PWS.OnlineGames.KBVT
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.PWS.OnlineGames.KBVT is also known as Worm:Win32/Taterf.B;, Trojan-GameThief.Win32.Magania.aymn.
Explanation :
This is another onlinegames password stealer. When first run the malware will perform the following actions:
- make a hidden copy of itself in %System% folder under olhrwef.exe and create the following registry key
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Name: cdoosoft
Value: "%System%olhrwef.exe
in order for this copy to be run at every system startup
- drop a hidden .dll file named nmdfgds0.dll or nmdfgds1.dll in %System% folder - this is the component responsible for password stealing. It will be injected in all running processes and will monitor mouse gestures and keystrokes. some of the targeted online games are: MapleStory, Age Of Conan, Rohan, The Lord OF The Rings, Knight Online, Lands Of Aden and others.
- create a hidden autorun.inf file on each drive which points to a hidden copy of the malware found in %drive_letter%1ogf.exe used to spread itself via removable drives
- drop a driver file named klif.sys in %dirvers% folder and create the following registry key in order for this driver to be loaded as a service at every system startup
HKEY_LOCAL_MACHINESoftwareCurrentControlSetServicesKAVSys
Type: 0x1
ErrorControl: 0x1
Start: 0x1
ImagePath: %drivers%klif.sys
This driver file, along with another .dll file named ANTIVM.dll, will be used to disable the update for different antivirus software or to stop processes that may be used to monitor running programs behaviour (in order to make analysis more difficult).
- it will also add the following modifications to registry settings
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL
CheckedValue = 0x00000000
so that the user won't be able to see hidden files and folders in explorer while browsing the file system.
- it will download the following file http://[removed]uw2..com/xmfx/help1.rar and save it in %temp% folder (when this description was made the file wasn't available anymore)
To avoid antivirus detection both olhrwef.exe and nmdfgds0.dll were packed using NSAnti packer.Last update 21 November 2011