Home / malwarePDF  

PWS:Win32/OnLineGames.AH


First posted on 02 June 2015.
Source: Microsoft

Aliases :

There are no other names known for PWS:Win32/OnLineGames.AH.

Explanation :

Threat behavior

Installation

This threat can be installed by other malware.

It makes the following changes to the registry as part of its installation process:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InProcServer32
Sets value: (default)
With data: " "

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
Sets value: (default)
With data: "0"

It is installed as a Browser Helper Object (BHO) by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
Sets value: (default)
With data: (value not set)

Payload

Steals online game credentials

This threat can monitor, and attempt to steal, the credentials you type into the following websites:

  • aran.kr.gameclub.com
  • auth.siren24.com
  • baram.nexon.com
  • bns.plaync.com
  • booknlife.com
  • capogames.net
  • cultureland.co.kr
  • df.nexon.com
  • dk.halgame.com
  • elsword.nexon.com
  • hangame.com
  • happymoney.co.kr
  • heroes.nexon.com
  • id.hangame.com
  • itembay.com
  • itemmania.com
  • kr.battle.net
  • lcs.mezzo.hangame.com
  • login.nexon.com
  • netmarble.net
  • nexon.com
  • nxpay.nexon.com
  • pmang.com
  • poker.hangame.com
  • teencash.co.kr


Contacts remote hosts

The malware can connect to the following remote hosts to download additional settings and components, or upload its stolen information:

  • angel.frovez/cs0719
  • lullaby.dovzle/cs0719




Analysis by Alden Pornasdoro

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InProcServer32
    Sets value: (default)
    With data: " "

    In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
    Sets value: (default)
    With data: "0"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
    Sets value: (default)
    With data: (value not set)

Last update 02 June 2015

 

TOP

Malware :

Family: