Home / malware PWS:Win32/OnLineGames.AH
First posted on 16 February 2013.
Source: MicrosoftAliases :
There are no other names known for PWS:Win32/OnLineGames.AH.
Explanation :
Installation
PWS:Win32/OnLineGames.AH may be installed by other malware, and makes the following changes to the registry as part of its installation process:
In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InProcServer32
Sets value: (default)
With data: "<malware path and file name> "
In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
Sets value: (default)
With data: "0"
It is installed as a Browser Helper Object (BHO) by making the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
Sets value: (default)
With data: (value not set)
Payload
Steals online game credentials
Once installed, PWS:Win32/OnLineGames.AH will monitor, and attempt to steal, the credentials you type into the following websites:
- aran.kr.gameclub.com
- auth.siren24.com
- baram.nexon.com
- bns.plaync.com
- booknlife.com
- capogames.net
- cultureland.co.kr
- df.nexon.com
- dk.halgame.com
- elsword.nexon.com
- hangame.com
- happymoney.co.kr
- heroes.nexon.com
- id.hangame.com
- itembay.com
- itemmania.com
- kr.battle.net
- lcs.mezzo.hangame.com
- login.nexon.com
- netmarble.net
- nexon.com
- nxpay.nexon.com
- pmang.com
- poker.hangame.com
- teencash.co.kr
Contacts remote hosts
PWS:Win32/OnlineGames.AH may also connect to the following remote hosts to download additional settings and components, or post its stolen information:
- angel.frovez<removed>/cs0719
- lullaby.dovzle<removed>/cs0719
Analysis by Alden Pornasdoro
Last update 16 February 2013
