Home / malware Trojan.PWS.OnlineGames.KDLC
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.PWS.OnlineGames.KDLC.
Explanation :
This is a trojan horse that steals private information, specifically login information for a number of
online games (see list below).
The malware moves itself at the location: <user's documents and settings>Local SettingsTempdsoqq.exe. Sets an autorun of the copy by adding a value called "dso32" in the registry key
"HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun".
It also drops a '.dll' file called dsoqq0.dll at the same location as dsoqq.exe.
The malware also starts executing code through the explorer.exe process (the dll is created by explorer.exe). Explorer will create every minute or so on all drives an autorun.inf file pointing to an exe with a random name (e.g. bu8.exe) which is another copy of the malware. This will allow the malware to be distributed through removable drives.
The code running in explorer will also load the .dll file created when an application is run by the user. That .dll will be used to spy on the application of the user and if it detects one of the online games it will wait for the user to input his/her credentials and send them to the malware's creator. It will also try to bypass some antihack tools used with these games like HShield.
The full list of targeted games is:
Maple StoryCabal OnlineMetin2Dungeon fighterDofus (it recognizes the game by searching for known server, NPC or items' names like: Crocoburio, Lily, Hecate, Ruliet, Vil Smisse, etc.)Flyff (again, searches for keywords like Clockworks, Glaphan, Mushpoie, etc.)Aion OnlineLast ChaosKnight OnlineSilk Road Online2moonsDekaronLineage 2World of WarcraftSeal Online.Last update 21 November 2011
