Home / malware Trojan.PWS.OnlineGames.ZNH
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.PWS.OnlineGames.ZNH.
Explanation :
The malware comes bundeled with some cheat utility for games (mostly from Asia).
Drops the following : C:Windowssystem32 adsntzt.dll and C:Windowssystem32crtdll.dll which will be injected in every running process.
It creates the following CLSID:
{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}
that has the value of the (Defalut) key set to the value “adsntzt.dll”.
This CLSID is then registered in the key registry:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks .
Another registry with the name of the dll is created in
HKLMSOFTWAREMicrosoftWindwosCurrentVersionShellServiceObjectDelayLoad
that contains the value of the previous CLSID.
Tryes to acces and download the following URL:
http://www.luoshabi.cn/[removed]/linaabc.a
http://xcloud.a141.zgsj.net/[removed]/recv.a
This malware is used to steal user information from online games as hx2game.exe, Silkroad Online, KnightOnline, Lineage, Cabal Online and others.Last update 21 November 2011
