Home / malwarePDF  

Trojan-PSW:W32/Wowsteal


First posted on 22 April 2009.
Source: SecurityHome

Aliases :

Trojan-PSW:W32/Wowsteal is also known as PWS:Win32/Wowsteal (Microsoft), TSPY_WOW (Trend Micro).

Explanation :

This type of trojan steals passwords and other sensitive information. It may also secretly install other malicious programs.

Additional DetailsThis is the Trojan-PSW:W32/Wowsteal family description.

Variants in the Wowsteal family are trojans that steal sensitive information related to the popular Massively Multiplayer Online Role-Playing Game (MMORPG) World of Warcraft.

Execution

On execution, the trojan checks whether the World of Warcraft executable, wow.exe, is running. .

Wowsteal the checks to see if the following files exist:


• data\enTW\realmlist.wtf
• data\koKR\realmlist.wtf
• data\enGB\realmlist.wtf
• data\enUS\realmlist.wtf
These files usually contain information related World of Warcraft, such as:


• IP and host host name of the machine
• Game server name
• Role information (name, job, sex, level)
• Game information (gold,map name)

Network Connection

Wowsteal also monitors browser activity for user visits to the following sites:


• cn1.grunt.wowchina.com
• cn2.grunt.wowchina.com
• cn3.grunt.wowchina.com
• cn4.grunt.wowchina.com
• cn5.grunt.wowchina.com
• cn6.grunt.wowchina.com
• cn7.grunt.wowchina.com
• cn8.grunt.wowchina.com
• us.logon.worldofwarcraft.com
• eu.logon.worldofwarcraft.com
• tw.logon.worldofwarcraft.com
• kr.logon.worldofwarcraft.com
The trojan attempts to steal the user's login details for these sites.

Once the game-related information and login details are gathered, Wowsteal posts the data to a remote server using POST command.

The trojan can also download an update of itself.


Stealth


Hooks to explorer.exe for stealth

Last update 22 April 2009

 

TOP