Home / malwarePDF  

PWS:Win32/OnLineGames.BY


First posted on 07 April 2009.
Source: SecurityHome

Aliases :

PWS:Win32/OnLineGames.BY is also known as Also Known As:Win32/Gamepass.ACK (CA), Trojan-GameThief.Win32.WOW.fpp (Kaspersky), Win32/PSW.OnLineGames.NUO (ESET), PWS-Gamania.dll (McAfee), :Trj/WoW.WB (Panda), Infostealer.Gampass (Symantec).

Explanation :

PWS:Win32/OnLineGames.BY is a detection for samples for trojans that steal confidential information, such as account information and passwords, for the online game "The World of Legend".

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %Temp%wooolinit.dat
    %Temp%wsasystem.gif


  • PWS:Win32/OnLineGames.BY is a detection for samples for trojans that steal confidential information, such as account information and passwords, for the online game "The World of Legend".

    Installation
    When run, PWS:Win32/OnLineGames.BY drops a copy of itself as the following file:
    %Temp%wooolinit.dat It checks if the following anti-virus processes are currently running:
  • AVP.EXE
  • KVMONXP.EXE
  • If these processes are running, it then also copies itself in the system as the following file:
    %Temp%wsasystem.gif It creates the mutex 'asfasdfasdfasf' to ensure that only one version of it is running.

    Payload
    Deletes Registry EntryPWS:Win32/OnLineGames.BY checks if the following registry key exists:
    HKEY_LOCAL_MACHINESOFTWAREsndaWoool If the above registry key exists, it then deletes the file '<game folder>datawoool.dat.update', where <game folder> is the folder in which the "World of Legend" game is installed. Accesses System FilesPWS:Win32/OnlineGames.BY checks if the following file exists:<system folder>LPK.DLL This file is a Windows file that may be present in your system if you have installed an East Asian language pack. If found, Win32/OnlineGames.BY copies it as '<game>datawoool.dll'. Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32 Steals InformationThe 'wooolinit.dat' file injects itself into 'explorer.exe' to capture user account names and passwords for the game "The World of Legend". The stolen information is then sent to a remote Web server.

    Analysis by Tim Liu

    Last update 07 April 2009

     

    TOP