Home / malware Trojan.PWS.Onlinegames.KDHO
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.PWS.Onlinegames.KDHO is also known as Win32/PSW.OnLineGames.OUM, Worm.Win32.Taterf!IK, BScope.Trojan-PSW.AmGames.
Explanation :
This is another variant of the most spread online-games password stealer malware "families" out-there.
When runs this malware creates a copy of itself under the name dsoqq.exe or nodqq.exe and adds this copy at startup by creating one of the
following registry entry:
"HKCUSoftWareMicrosoftWindowsCurrentVersionRundso32"
"HKCUSoftWareMicrosoftWindowsCurrentVersionRun
od32"
pointing to the created copy.
Next it drops a dll file with the same name as the malware, dsoqq[random_digit].dll or nodqq[random_digit].dll,
and injects it in the memory space of explorer.exe, then the original file self deletes.
This dll is actually a password stealing component:
Target games: dungeonfighter, MapleStory, Valhalla, knightonline, dekaron, so3d.
Then the information gathered is sent to many websites controlled by the malware authors.
Both components of the malware are packed with Aspack packer.
The malware spreads over removable devices with an autorun.inf that points to an executable under the name xjb3.exe or qhbfqx.exe.
The malware changes the "SoftwareMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALL" registry key, so that the user
cannot view hidden files from windows explorer.
Changes the "SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun" entry too, for turning on autorun.Last update 21 November 2011