Home / malware Trojan-PSW:W32/Wowsteal
First posted on 22 April 2009.
Source: SecurityHomeAliases :
Trojan-PSW:W32/Wowsteal is also known as PWS:Win32/Wowsteal (Microsoft), TSPY_WOW (Trend Micro).
Explanation :
This type of trojan steals passwords and other sensitive information. It may also secretly install other malicious programs.
Additional DetailsThis is the Trojan-PSW:W32/Wowsteal family description.
Variants in the Wowsteal family are trojans that steal sensitive information related to the popular Massively Multiplayer Online Role-Playing Game (MMORPG) World of Warcraft.
Execution
On execution, the trojan checks whether the World of Warcraft executable, wow.exe, is running. .
Wowsteal the checks to see if the following files exist:
• data\enTW\realmlist.wtf
• data\koKR\realmlist.wtf
• data\enGB\realmlist.wtf
• data\enUS\realmlist.wtf
These files usually contain information related World of Warcraft, such as:
• IP and host host name of the machine
• Game server name
• Role information (name, job, sex, level)
• Game information (gold,map name)
Network Connection
Wowsteal also monitors browser activity for user visits to the following sites:
• cn1.grunt.wowchina.com
• cn2.grunt.wowchina.com
• cn3.grunt.wowchina.com
• cn4.grunt.wowchina.com
• cn5.grunt.wowchina.com
• cn6.grunt.wowchina.com
• cn7.grunt.wowchina.com
• cn8.grunt.wowchina.com
• us.logon.worldofwarcraft.com
• eu.logon.worldofwarcraft.com
• tw.logon.worldofwarcraft.com
• kr.logon.worldofwarcraft.com
The trojan attempts to steal the user's login details for these sites.
Once the game-related information and login details are gathered, Wowsteal posts the data to a remote server using POST command.
The trojan can also download an update of itself.
Stealth
Hooks to explorer.exe for stealthLast update 22 April 2009
