Home / malwarePDF  

Trojan.PWS.OnlineGames.KCWV


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.PWS.OnlineGames.KCWV is also known as Trojan-GameThief.Win32.Magania.bwsr, PWS:Win32/Lolyda.AT, W32/OnlineGames.BWA!tr.pws, Infostealer.Gampass.

Explanation :

The malware creates a configuration file named [random].Ttf in “%WINDIR%Downloaded Programs Files” and a dll file in “%WINDIR%system32” directory named “CWcQnWxHjWqtE6PsYyEe.inf”. After this it creates a new registry entry, HKLMSOFTWAREClassesCLSID{CB661471-055A-4C5B-9ED0-497B9908FEF5}InprocServer32
(default) -> C:WINDOWSsystem32CWcQnWxHjWqtE6PsYyEe.inf (the CLSID and the .inf file name may vary).

It will also register itself as an explorer ShellExecuteHook by creating HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks {CB661471-055A-4C5B-9ED0-497B9908FEF5} -> null.

It also tries to delete “%WINDIR%system32verclsid.exe” and at the end of its execution it will delete itself from the disk to remove any traces of its presence.

It has the ability to take screenshots from time to time and to record sensible data for sending them together with user name, password or other details about the affected users to a malware server.

Last update 21 November 2011

 

TOP