Home / malware PWS:Win32/Frethog.F
First posted on 22 February 2010.
Source: SecurityHomeAliases :
There are no other names known for PWS:Win32/Frethog.F.
Explanation :
PWS:Win32/Frethog.F is part of a multi-component password-stealing trojan that targets confidential data, such as account information, from Massive Multiplayer Online Role Playing Games (MMORPG) such as World of Warcraft (WoW).
Top
PWS:Win32/Frethog.F is part of a multi-component password-stealing trojan that targets confidential data, such as account information, from Massive Multiplayer Online Role Playing Games (MMORPG) such as World of Warcraft (WoW). Installation PWS:Win32/Frethog.F arrives in the system as a DLL component and is installed into the machine by an EXE component. It is usually installed in the system directory with random filenames. Here are some of the typical filenames used:mppds.dll woso<number>.dll avpo<number>.dll cvasds<number>.dll where <number> is a one digit number.
The DLL file is injected into the common Windows shell "explorer.exe", which is usually loaded with the desktop when a user logs in. Payload Modifies System Security Settings
PWS:Win32/Frethog.F attempts to circumvent security products by:Attempting to prevent AVP Antivirus from displaying notifications regarding system changes by closing windows used by this product. Attempting to terminate the RAV Antivirus process ("ravmon.exe") if it is found to be running on the affected system.
Steals Online Game Data
Once injected into "explorer.exe", the trojan can obtain login account information for one or more of the following MMORPGs and affiliated products:Rainbow Island Cabal Online A Chinese Odyssey Hao Fang Battle Net Lineage Gamania MapleStory qqgame Legend of Mir World Of Warcraft The captured details are sent to a remote server.
Analysis by Matt McCormackLast update 22 February 2010
