Home / malwarePDF  

PWS:Win32/OnLineGames.KQ


First posted on 04 January 2013.
Source: Microsoft

Aliases :

PWS:Win32/OnLineGames.KQ is also known as Win-Trojan/Onlinegamehack79.Gen (AhnLab), W32/OnlineGames.HV.gen!Eldorado (Command), W32/OnLineGames.NVMY (Norman), Trojan horse PSW.OnlineGames3.BLVY (AVG), Trojan.PWS.Gamania.30770 (Dr.Web), Win32/PSW.OnLineGames.QMR trojan (ESET), Trojan-PWS.Win32.OnLineGames (Ikarus), Trojan.PSW.OnLineGames!3ED6 (Rising AV), Mal/PWS-HO (Sophos), Infostealer.Gampass (Symantec), TSPY_ONLINEG.XXK (Trend Micro).

Explanation :



Installation

PWS:Win32/OnLineGames.KQ is installed as a DLL file. It may use any of the following names:

  • <system folder>\win32.dll
  • <system folder>\ws2help.dll
  • <system folder>\imm32b.dll


Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and W8 it is "C:\Windows\System32".



Payload

Steals sensitive information

When PWS:Win32/OnLineGames.KQ is loaded by iexplore.exe, it tries to steal user account credentials if you log on to any of the following websites:

  • aion.plaync.co.kr
  • bm.ndoors.com
  • hangame.com
  • heva.windyzone.com
  • maestia.ndolfin.com
  • netmarble.net
  • pmang.com


It also monitors and captures your user credentials if the following processes, related to online games, is running in your computer:

  • dnf.exe
  • exlauncher.exe
  • ff2client.exe
  • game.exe
  • heroes.exe
  • maplestory.exe
  • tera.exe


The collected information may be logged into the following files in <system folder>:

  • aionlog.ini
  • darkbloodlog.ini
  • dflog.ini
  • fbloodlog.ini
  • fflog.ini
  • gamelog.ini
  • hangame.ini
  • heavlog.ini
  • it1.ini
  • luoqilog.ini
  • maestia.ini
  • mxdlog.ini
  • pmanglog.ini
  • tianyilog.ini


This trojan then sends the data to any of the following websites via HTTP POST:

  • dnf.mdnjbweo.com
  • hangame.dfjedvk11.com
  • iiiii.tobav.com
  • maple.fjijdejiw.com
Additional information

To avoid detection, PWS:Win32/OnLineGames.KQ exits if it is loaded by any of the following processes:

  • ALYac.aye
  • AyAgent.aye
  • SkyMon.exe
  • SystemMon.exe
  • V3Light.exe
  • V3LSvc.exe
  • V3LTray.exe




Analysis by Patrick Estavillo

Last update 04 January 2013

 

TOP

Malware :

Family: