Home / malwarePDF  

PWS:Win32/Frethog.gen!G


First posted on 04 February 2009.
Source: SecurityHome

Aliases :

PWS:Win32/Frethog.gen!G is also known as Also Known As:Trojan horse PSW.Generic3.NQM (AVG), Trojan-PSW.Win32.OnLineGames.es (Kaspersky), PWS-LegMir.dll (McAfee), Troj/PSW-AKZ (Sophos), TSPY_ONLINEG.CID (Trend Micro), Infostealer.Gampass (Symantec).

Explanation :

PWS:Win32/Frethog.gen!G is part of a multi-component password-stealing trojan that targets confidential data, such as account information, from Massive Multiplayer Online Role Playing Games (MMORPG) such as World of Warcraft (WoW), for example.

Symptoms
There are no obvious symptoms to indicate the presence of PWS:Win32/Frethog.gen!G in a system.

PWS:Win32/Frethog.gen!G is part of a multi-component password-stealing trojan that targets confidential data, such as account information, from Massive Multiplayer Online Role Playing Games (MMORPG) such as World of Warcraft (WoW), for example. Installation PWS:Win32/Frethog.gen!G arrives in the system as a DLL component and is installed into the machine by an EXE component. It is usually installed in the system directory with random filenames. Here are some of the typical filenames used:

  • mppds.dll
  • woso<number>.dll
  • avpo<number>.dll
    • where <number> is a one digit number.

    The DLL file is injected into the common Windows shell "explorer.exe", which is usually loaded with the desktop when a user logs in. Payload Modifies System Security Settings
    PWS:Win32/Frethog.gen!G attempts to circumvent security products by:
  • Attempting to prevent AVP Antivirus from displaying notifications regarding system changes by closing windows used by this product.
  • Attempting to terminate the RAV Antivirus process ("ravmon.exe") if it is found to be running on the affected system.

    • Steals Online Game Data
    Once injected into "explorer.exe", the trojan can obtain login account information for one or more of the following MMORPGs and affiliated products:
  • Rainbow Island
  • Cabal Online
  • A Chinese Odyssey
  • Hao Fang Battle Net
  • Lineage
  • Gamania
  • MapleStory
  • qqgame
  • Legend of Mir
  • World Of Warcraft
    • The captured details are sent to a remote server.

    Analysis by Elda Dimakiling

    Last update 04 February 2009

     

    TOP

    Malware :

    Family: