Home / malware Worm.Generic.95776
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Worm.Generic.95776.
Explanation :
This malwares purpose is to steal information regarding online games. When executed, it will perform the following modifications:
FILES
- copy itself inside %temp% folder, as herss.exe, and drop a .dll file, named cvasds0.dll, in the same directory, both hidden
- the dropped .dll file, once loaded inside explorer.exe, will make an additional copy of the executable file inside root directory of the system drive, as wcgswa.exe, and will create an autorun.inf file pointing to it
REGISTRY
- will register itself at startup by adding the key: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRuncdooosoft pointing to %temp%herss.exe
- will set HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALLChecked value to 0, disabling the option of chcking "Show hidden files and folders" under Folder Options -> View
PROCESSES
The initial process of the malware will only copy itself and drop the .dll file inside %temp% folder and inject it inside explorer.exe. The .dll file will perform the rest of the modifications (registry and autorun modifications).
PASSWORD STEALING
The injected .dll will begin its quest to gather sensitive information regarding several online games: Metin2, FlyFF, Maple Story, Age of Conan, Knight Online
The malware contains a huge list of IP addresses where the stolen data will be sent.
Note: %temp% is a variable that reffers to the temp folder (usually x:documents and settings[user-name]Local Settings emp, where x is the system drive)Last update 21 November 2011
