Home / malware PWS:Win32/OnLineGames.GR
First posted on 03 February 2010.
Source: SecurityHomeAliases :
PWS:Win32/OnLineGames.GR is also known as Trojan-GameThief.Win32.OnLineGames.bncb (Kaspersky), Win32/PSW.OnLineGames.ORB (ESET), PWS-Mmorpg!kx (McAfee), Infostealer.Gampass (Symantec).
Explanation :
PWS:Win32/OnLineGames.GR is a trojan that steals account information from the popular online game "JJMatch" and sends it to a remote server.
Top
PWS:Win32/OnLineGames.GR is a trojan that steals account information from the popular online game "JJMatch" and sends it to a remote server. InstallationPWS:Win32/OnLineGames.GR may arrive on the affected computer with the file name initdll.exe. When executed, it modifies the following registry entry to ensure it is loaded at each Windows start: Adds value: "StubPath"
With data: "%program_files%\initdll.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{78222236-2255-89A4-5687-895462890322} In addition, it also deletes the following registry key: HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\{78222236-2255-89A4-5687-895462890322} Payload Steals online game informationPWS:Win32/OnLineGames.GR attempts to replace the DLL file "TKTnyInfo.dll" (used by "JJMatch") with its own copy, which it uses to steal account information. It tries to locates the installation path of "JJMatch" by enumerating the following registry entry:
HKCU\Software\Microsoft\Windows\ShellNoRoa m\MUICache. The original copy of the DLL is renamed to "JPGlib.dll". The replaced version is detected as PWS:Win32/OnLineGames.GR!dll. Terminates processPWS:Win32/OnLineGames.GR terminates the process "TKLobby.exe", which is used by "JJMatch".
Analysis by Chun FengLast update 03 February 2010