Home / malware Trojan.Dropper.Microjoin.WA
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Dropper.Microjoin.WA is also known as Infostealer.Gamepass, Trojan-GameThief.Win32.OnlineGames.tubd, Win32:OnlineGames-FAK.
Explanation :
This trojan is used to steal sensible information from games.
At every run the malware drops in %USERPROFILE%Local SettingsTemp a clean application named rxcf-green.exe and a malware file named xq.exe and runs both of them.
The malware (xq.exe) creates a malware dll named [random].dll in %WINDIR%System32 and registers it in HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad[random].dll ->{F0930A2F-D971-2828-8209-B7DF266ED44} and HKLMSOFTWAREMicrosoftWindowsExplorerShellExecuteHooks{F0930A2F-D971-2828-8209-B7DF266ED44}->null, where [random].dll is in all cases the same name.
The created dll file has a random 8 char name, different size and a different overlay every time. It's injected into the memory space of explorer.exe and every other application who has explorer.exe as parent.
After that, xq.exe will use the bat self-delete method to delete itself from the disk by creating a new .bat file in the %USERPROFILE%Local SettingsTemp folder.Last update 21 November 2011
