Home / malware Trojan.PWS.Onlinegames.KDBI
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.PWS.Onlinegames.KDBI is also known as (OneCare.
Explanation :
In order to hide his actions, when is first run, the trojan will inject its code into the memory of Explorer.exe using low-level methods and a remote thread pointing to this zone will be started. This code (executed by Explorer) will be responsible to inject into all running processes a dll dropped by the trojan (%USERPROFILE%Local SetingsTempcvasd0.dll)
The injected DLL contains two components. An online games password stealer (with the targets: KnightOnline, Metin2, AgeOfConan,TheLordOfTheRings,Maple...). Another embedded DLL (ANTIVM.dll) will try to disable some known security solutions usually by stopping the update services modules (Liveserv.exe, vsupdate.exe, Update.exe, AVP.exe, avgupd.exe)
The code injected in Explorer.exe process will copy itself to %ROOT%[random_name].exe and will create an Autorun.inf file pointing to this copy.
The following registry key is also modified by the malware:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"cdoosoft" = "%TEMP%herss.exe" ,where the executable is a copy of the malware
Then the trojan will try to download an updated encrypted version (detected also Trojan.PWS.Onlinegames) from:
www.googlem7k.com/[removed]/am.rar
www.sinap4k.com/[removed]/am.rarLast update 21 November 2011