Home / malware Trojan.PWS.Onlinegames.KDCI
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.PWS.Onlinegames.KDCI is also known as Trojan-GameThief.Win32.Magania.crjh, Worm.Win32.AutoRun.
Explanation :
This is yet another variant of one of the most prolific online-games password stealer malware "families" out-there.
Upon execution, the first thing it does is to create autorun.inf files pointing to copies of itself, making sure it can survive after a system restart. These files will be located on root of the local drives of an affected system.
It creates another copy of itself into the temporary folder of the current user, where it also drops a new dll file which implements all the functionality required for stealing passwords related to MapleStory, The Lord Of The Rings Online, Knight Online, Dekaron or other games. The newly created copy will be registered for running at the system start-up by a new entry created under HKCUSoftWareMicrosoftWindowsCurrentVersionRun (named cdoosoft, having the path of the file as its value). At this point, the original infected file deletes itself from the disk, removing its traces.
The .dll file from the temp folder will then be written into the memory space of the explorer.exe process and executed. The malicious code injected into explorer.exe is responsable for setting the hooks needed for stealing passwords and also for further propagation by periodical (two times a minute) creation of autorun.inf files (and of the associated executable files) in the root folder of the local partitions.Last update 21 November 2011