Trojan-GameThief.Win32.OnLineGames.rlh

Technical Details

This malicious program is a Trojan. It is a Windows PE EXE file. It is 112736 bytes in size.

Installation

The Trojan copies its executable file to the Windows system directory:

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:

The Trojan also extracts the executable file shown below from its body:

%System%\kavo0.dll

This file is 96768 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.rlb.

The Trojan also extracts the executable file shown below from its body:

%Temp%\<random symbols>.dll

This file is 29994 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.yyq.

Payload

The Trojan loads the .dll file to all processes launched in the system.

The Trojan intercepts mouse and keyboard events if any of the processes below have been launched:

maplestory.exe
dekaron.exe
gc.exe
RagFree.exe
Ragexe.exe
ybclient.exe
wsm.exe 
sro_client.exe
so3d.exe
ge.exe
elementclient.exe

It sniffs traffic sent to the following addresses:

61.220.60.***
61.220.60.***
61.220.62.***
61.220.56.***
61.220.56.***
61.220.62.***
61.220.62.***
203.69.46.***
203.69.46.***
220.130.113.***

It does this in an attempt to harvest account data for the following games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver

and some other games. The Trojan also analyses the configuration files of the games above and attempts to harvest information about gamers' accounts on the web server.

The Trojan also modifies the following system registry key parameter values:

The Trojan also attempts to terminate the following processes:

KAV
RAV
AVP
KAVSVC/

The Trojan also has worm functionality, making it able to propagate via removable storage media. The Troaj copies its executable file to the root of each drive as follows:

<X> indicates the relevant disk.

In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:

This file will launch the Trojan executable file each time the user opens the infected disk using Explorer.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the following file:
   %System%\kavo.exe
2. Reboot the computer.
3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
4. Delete the following system registry key parameter:
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

   "kava" = "%System%\kavo.exe"

5. Restore the original system registry key values:
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
   der\Hidden\SHOWALL]
   "CheckedValue" = "0"
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden" = "2" "ShowSuperHidden" = "0"
   [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
   "NoDriveTypeAutoRun" = "0x91"