Home / malware PWS:Win32/Frethog.AJ
First posted on 04 February 2009.
Source: SecurityHomeAliases :
PWS:Win32/Frethog.AJ is also known as Also Known As:Win-Trojan/KorGameHack.17408 (AhnLab), PSW.Legendmir.EQJ (AVG), Trojan.PWS.OnLineGames.ASY (BitDefender), Win32/Frethog!generic (CA), Win32/PSW.Agent.NDO (ESET), Trojan-PSW.Win32.OnLineGames.isb (Kaspersky), W32/Suspicious_U.gen (Norman), Infostealer.Gampass (Symantec), TSPY_ONLINEG.AJD (Trend Micro).
Explanation :
PWS:Win32/Frethog.AJ is a variant of a large family of password-stealing trojan that targets confidential data, such as account information, from Massive Multiplayer Online Role Playing Games (MMORPG) such as World of Warcraft (WoW).
Symptoms
System ChangesThe trojan may be present as a randomly named file such as in the following examples:%windir%kvsc3.dll%windir%kvsc3.exe The registry may be modified to execute the trojan at each Windows startup, as in the following example:value: "Kvsc3"
With data: "%windir%kvsc3.exe" In subkey: HKLMSoftWareMicrosoftWindowsCurrentVersionRun
PWS:Win32/Frethog.AJ is a variant of a large family of password-stealing trojan that targets confidential data, such as account information, from Massive Multiplayer Online Role Playing Games (MMORPG) such as World of Warcraft (WoW).Installation When executed, PWS:Win32/Frethog.AJ copies itself to the Windows directory with a randomly generated file name, such as the following:%windir%kvsc3.exe Win32/Frethog.AJ drops another component as a DLL with the same randomly generated file name, such as the following:%windir%kvsc3.dll The dropped DLL component code is injected into the Windows shell EXPLORER.EXE. The registry may be modified to run the dropped trojan copy at each Windows start, as in the following example. Adds value: "Kvsc3"
With data: "%windir%kvsc3.exe" To subkey: HKLMSoftWareMicrosoftWindowsCurrentVersionRunPayload Modifies System Security Settings The dropper may circumvent security products by attempting to perform the following actions:Prevents the security product "AVP Antivirus" from displaying notifications regarding system changes by closing windows used by this productTerminates "Ravmon.exe" if it is found to be running on the affected system - "Ravmon.exe" may be present as a component of the security product GeCAD RAV Steals Online Game Logon Credentials The dropped dll, once injected into 'Explorer.exe', can obtain login account information for one or more of the MMORPG and affiliated products. The captured details are sent to a predefined remote server.
Analysis by Wei LiLast update 04 February 2009
