Home / malware Trojan.Dropper.RWY
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Dropper.RWY is also known as Trojan-PSW.Win32.OnLineGames.adjg Infostealer.Gampass Spy/.
Explanation :
When started, the malware drops the files spmyaapi.sys and mpmycapi.dll and creates a copy of itself named simyaapi.exe in %windir%system32. Note that these files are hidden. It then loads the new copy and the original file is deleted.
mpmycapi.dll is registered using the following keys:
HKCRCLSID{3629FF4F-ACDB-5C90-A098-FACB3456A263}InporcServer32(Default) = "%windir%system32mpmycapi.dll"
HKCRCLSID{3629FF4F-ACDB-5C90-A098-FACB3456A263}InporcServer32ThreadingModel = "Apartment"
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks{3629FF4F-ACDB-5C90-A098-FACB3456A263} = "mpmycapi.dll"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{3629FF4F-ACDB-5C90-A098-FACB3456A263}(Default) = "mpmycapi.dll"
This dll is used to steal account information from players of a mmorpg game. Once loaded into a process, the dll takes one of the following actions (depending on the process name):
if the process is named soul.exe it creates a thread which monitors keystrokes to steal information, which is then sent to a specific location on the internet
if the process is named play.exe the path of the process is used to delete %process path%iniGameSetUp.ini and %process path%TQAT*.exe
if the process doesn't have one of the above names, it tries to infect other started processes and refreshes the registry entries
When the malware is ran for the first time simyaapi.exe is used to load the first instance of mpmycapi.dll. Afterwords, it is loaded at starup.Last update 21 November 2011
