SecurityHome.eu Trojan.Dropper.SPO

Home / malware PDF

Trojan.Dropper.SPO

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Trojan.Dropper.SPO is also known as Infostealer.Gamepass, Trojan-GameThief.Win32.OnlineGames.tnfb PWS-Mmorpg.gen.
Explanation :
This trojan is used to steal sensible information regarding a MMORPG (Legend of Mir).

At first run the malware copies itself in %windir%system32saw110.exe and creates a registry entry to run this file at startup:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
nwiz->saw110.exe

Saw110.exe drops the file saw110.dll which is injected in explorer.exe.

Loaded as a module in explorer.exe, saw110.dll seeks for processes which have a certain kind of graphical inferface (by looking for window names as TFrmMain or TDXDraw).

If such a process is found, saw110.dll injects itself into it and checks for the following file names: mir.exe, mir1.dat, mir2.dat. If one of these names is found the malware tries to steal account information and sends it by http to a remote server.
Last update 21 November 2011

TOP

Malware :

None in database

Last 20