Home / malware Trojan.Downloader.Small.ABFV
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Downloader.Small.ABFV is also known as PWS:Win32/Lolyda.AA;, Worm.win32.Downloader.abx;, Infostealer.Gampass.
Explanation :
This malware belongs to online games password stealer's family.
It is a UPX packed executable which upon execution will drop a dll file having a random eight small letters name in %SYSTEM% folder. This dll will be injected into the address space of every running process in order to steal information regarding a Chinese onlinegame named Westward Journey OnlineII. It checks whether the process' name it's xy2.exe or xy2_ex.exe and if positive then user's sensitive data will be sent to the malware's author via http post:
http://dh2.ac[removed].cn/ZONGXXXOUT/post.asp
http://dh2.ac[removed].cn/GGGZ/xiaochang/post.asp
using the following parameters:
account=%s & password1=%s & password2=%s & passed=%s & specialSign=%s &client=
&area= & & server=%s & inputsource=%s & levels=%s & name=%s & other=%s & verify=%s
In order for this dll to be loaded at every system startup the following registry keys will be added:
HKEY_CLASSES_ROOTCLSID\InProcServer32
@ = C:\WINDOWS\system32\.dll
HKEY_CLASSES_ROOTCLSID\InProcServer32
ThreadingModel = Apartment
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks
= ""
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
=
Then the malware drops a batch file that will be used to delete itself.Last update 21 November 2011