Home / malware PWS:Win32/OnLineGames.HS
First posted on 01 June 2010.
Source: SecurityHomeAliases :
PWS:Win32/OnLineGames.HS is also known as Trojan-GameThief.Win32.OnLineGames.wrpl (Kaspersky), W32/OnLineGames.LUIS (Norman), Win32/GameThief.F (CA), Trojan.PWS.Wsgame.20533 (Dr.Web), Infostealer.Gampass (Symantec), TSPY_LOLYDA.SMF (Trend Micro).
Explanation :
PWS:Win32/OnLineGames.HS is a trojan that steals user information from the online game "World of Warcraft". The stolen information is then sent to a remote recipient using e-mail.
Top
PWS:Win32/OnLineGames.HS is a trojan that steals user information from the online game "World of Warcraft". The stolen information is then sent to a remote recipient using e-mail. Installation PWS:Win32/OnLineGames.HS is usually dropped with a clean application to mislead the user into thinking that the malware file is legitimate. It is usually dropped in the Windows Temporary Files folder. When executed, it checks if only one instance of itself is running by creating a mutex with the name "<variable>adsfasf". Payload Steals World of Warcraft user credentials PWS:Win32/OnLineGames.HS tries to read the contents of the "InstallPath" entry in the following registry subkey to determine if and where the game "World of Warcraft" (WoW) is installed:HKLM\SOFTWARE\Blizzard Entertainment\World of Warcraft It then tries to kill the following WoW processes:wow.exe backgrounddownloader.exe If WoW is installed in the computer, PWS:Win32/OnLineGames.HS drops the following files:<path of WoW installation>\ksuser.dll <path of WoW installation>\systext.dll It attempts to copy its dropped file "ksuser.dll" as "sysplk.dll" in the same folder. The file "ksuser.dll" loads "systext.dll" and then exits. The file "systext.dll" contains the function "InstallService", whose function is to delete a certain file based on the input parameters. A second function installs a global hook using the "SetWindowsHookExA" API, which ensures that the DLL file is injected into all running processes. A third function uninstalls the global hook installed by the second function. When loaded, "systext.dll" checks if the application that has loaded it is "wow.exe" version 3.1.3. If this is the case, "systext.dll" injects code into the "wow.exe" process to steal information and take screenshots on the occurrence of certain events. It then sends the stolen information to certain recipients using e-mail. If the application that has loaded it is not "wow.exe", it runs the second function to install the global hook. Additional information PWS:Win32/OnLineGames.HS checks if the following security processes are running:avp.exe ravmond.exe If these processes are not running, PWS:Win32/OnLineGames.HS drops the following files: %Temp%\<random number>.dll - with hidden and system attributes %Temp%\<name>.dll - where <name> is either "www" or "xx" It then executes the following commands, using the function "InstallService" (see the Payload section):cmd /c rundll32.exe %temp%\<name>.dll InstallService <current malware executable> PWS:Win32/OnLineGames.HS also loads "%Temp%\<random number>.dll" and calls two of its exported functions; these functions have various names based on the malware sample, but are usually composed of 4 to 5 random characters.
Analysis by Daniel RaduLast update 01 June 2010