Home / malwarePDF  

Trojan.PWS.OnlineGemes.RAH


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.PWS.OnlineGemes.RAH is also known as PSW.OnlineGames, Trojan.Dropper, Trojan-GameThief.Win32.OnLineGames.sdv, PWS:Win32/Frethog.AD.

Explanation :

This malware belongs to the widespread "OnlineGames" password stealer family.

When run, the trojan will perform the following actions:

Drop the files:

%HOMEDRIVE%%HOMEPATH%Local SettingsTemp mp2.tmp - which contains a copy of the virus body

%HOMEDRIVE%%HOMEPATH%Local SettingsTemp mp3.tmp - copy of msosmhfpXX.dll, described next

%WINDIR%SYSTEM32msosmhfpXX.dll - a DLL that will be loaded by every process

Will write to the file %WINDIR$win.ini in order to make an association with the name of the above DLL

Set following registry key: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs to the value "msosmhfpXX.dll" to tell Windows to load the DLL for every application. This is used in order to rerun after a restart of the system.

Data collected will be stored in %WINDIR%SYSTEM32msosmhfpXX.dat - a data file where the above DLL saves games information.

The Trojan will steal login information from the game Cabal, and maybe others, and sends the data to some previously known ip addresses.

The copied DLL will inject code in all processes.

The trojan will delete its original file.

Last update 21 November 2011

 

TOP