Home / malware PWS:Win32/Dozmot.C
First posted on 30 June 2009.
Source: SecurityHomeAliases :
PWS:Win32/Dozmot.C is also known as Also Known As:PWS:Win32/Wowsteal.AS (other).
Explanation :
PWS:Win32/Dozmot.C is a password stealer trojan that captures logon credentials for the multi-player online games "World of Warcraft" and "Final Fantasy XI". This trojan may download and execute other malware.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
PWS:Win32/Dozmot.C is a password stealer trojan that captures logon credentials for the multi-player online games "World of Warcraft" and "Final Fantasy XI". This trojan may download and execute other malware.
Installation
PWS:Win32/Dozmot.C is installed by TrojanDropper:Win32/Dozmot.C and is present as a file having a random file name as in the following example: <system folder>e5jid7my.dll The registry is modified as in the following example: Adds value: "dll"
With data: "<system folder>e5jid7my.dll
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate PWS:Win32/Dozmot.C is then launched by the dropper with the aid of the Windows application "rundll32.exe", after which the dropper deletes itself and terminates. PWS:Win32/Dozmot.C injects its code into running processes and behaves different depending on the process to which it is attached as described below.
Payload
Launches Internet ExplorerIf PWS:Win32/Dozmot.C is injected into the processes "explorer.exe", "wmiprvse.exe", "alg.exe", "wuauclt.exe", "wscntfy.exe" or "ctfmon.exe", the trojan will load Internet Explorer using a paramater as in this example: %Program Files%Internet Exploreriexplore.exe About:_.=[Madam,I'm Adam]=._ The .DLL is unloaded and then scheduled to be deleted at the next Windows reboot. Downloads and Executes Arbitrary ProgramsIf the PWS:Win32/Dozmot.C is injected into "iexplore.exe" and iexplore.exe was called with "About:_.=[Madam,I'm Adam]=._" as parameters, the trojan sends data to the domain 'b35.info'. The domain uses a server-side script to log the sent data. The data is sent in the following format: <domain and subfolder>/lin.php?m=<MAC Address>&g=<installed game value> Where <installed game value> is a concatenation of the following:"wow+" - if the registry subkey 'HKLMSOFTWAREBlizzard EntertainmentWorld of Warcraft' is present"ffxi" - if the registry subkey 'HKLMSOFTWAREPlayOnline[US|JP|EU]' is present If the server replies "ok", the trojan retrieves a data file from the same domain as 'url.txt'. If this step fails, it will retry 5 times at 10 second intervals after which the process 'iexplore.exe' is terminated. The data file 'url.txt' contains a list of NULL delimited URLs. PWS:Win32/Dozmot.C will download each and, if executable, it will spawn processes from the downloaded files. Sends Other DataIf PWS:Win32/Dozmot.C is injected into the process "wow.exe" (World of Warcraft) or "pol.exe" (PlayOnline Viewer), the trojan patches computer memory in order to retrieve game data. The trojan then connects to the domain 'b35.info' and submits retrieved game data.
Analysis by Cristian CraioveanuLast update 30 June 2009
