Home / malware Trojan.PWS.OnlineGames.KCPG
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.PWS.OnlineGames.KCPG.
Explanation :
When first ran, the trojan will perform the following modifications in the system:
- copy itself inside %temp% directory, as uret463.exe
- drop the dll component inside %temp% directory, as lhgiyitX.dll (where X can be any number starting with 0)
- inject the library inside explorer.exe, and then, in every running process
The dll will perform, in addition, the following:
- make another copy of the trojan inside the root directory of every drive, as gx.bat
- create an autorun.inf file on every drive, pointing to the file described above (will also make sure that autorun feature is enabled on the targeted drives)
- drop a rootkit-driver inside %system%drivers, as cdaudio.sys (currently detected by BitDefender as Rootkit.OnlineGames.CQ), that is responsabile for hiding malware files (the trojan does drop and registers the service, but it doesn't seem to actually load the driver)
This PWS will steal data regarding online games like: TwelveSky (twelsky2.exe), MapleStory (maplestory.exe), Perfect World (elementclient.exe), WOW (wow.exe) and programs related to the processes coc.exe, fj.exe, ybclient.exe, wsm.exe, gameclient.exe, game.exe.
It will attempt to retreive information from various files (if present on the attacked machine), like wool.dat, Online.dat, aaa.dat, config.wtf and userdatacurrentserver.ini. The trojan also contains a large list of IP addresses, where it might send information gathered from the victims computer.Last update 21 November 2011
