Internet threat level: 1
Home→Descriptions→Trojan-GameThief.Win32.OnLineGames.uvpy
Trojan-GameThief.Win32.OnLineGames.uvpy
| Detected | Apr 10 2009 17:24 GMT |
| Released | Apr 10 2009 21:32 GMT |
| Published | Oct 25 2010 07:35 GMT |
Payload
Removal instructions
Technical Details
This Trojan belongs to the family of Trojans that steals passwords from online gaming user accounts. It is a Windows application (PE EXE file). It is 15 648 bytes in size. It is packed using UPX. The unpacked file is approximately 214 KB in size. It is written in C++.
Payload
Once launched, the Trojan performs the following actions:
- For the following files:
%System%\sfc_os.dll %System%\rundll32.exe
the Trojan creates copies, which it saves under the following names respectively:%System%\mmsfc1.dll %System%\gth68338.exe
- A function in the "mmsfc1.dll" library disables protection for the "ComRes.dll" file in the Windows system directory.
- It moves the file:
%System%\ComRes.dll
into the file called:%System%\sysgth.dll
- It extracts the following files from its body:
%WinDir%\fOntS\ComRes.dll
This file is 160 752 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.uvzj.%WinDir%\fOntS\gth68338.ttf
This file is 30 720 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.uvun.%WinDir%\fOntS\gth68338.fon
This file is 1312 bytes in size.%System%\ComRes.dll
This file is 160 752 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.uvzj. - It terminates the following process:
QQSG.exe
- It launches the following command:
%System%\gth68338.exe %WinDir%\fOntS\ComRes.dll ins <path_to_original_body_of_trojan>
which in turn launches the file "ComRes.dll" and calls a function called "ins", which passes the path to the original body of the Trojan as a parameter.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following files:
%System%\mmsfc1.dll %System%\gth68338.exe %System%\ComRes.dll %WinDir%\fOntS\ComRes.dll %WinDir%\fOntS\gth68338.ttf %WinDir%\fOntS\gth68338.fon
- Rename the file:
%System%\sysgth.dll
in the file:%System%\ComRes.dll
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
MD5: 28A6BA3CEBCA052BEEBDB2830C2AFFE3
SHA1: 8BF2E6D0E296A530D39F1F32B4085D85253BA6C2
This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Trojan-GameThief.
- Trojan:
PWS-OnlineGames. ed (McAfee) - Mal/Comot-A (Sophos)
- Trj/Lineage.
BZE (Panda) - W32/OnlineGames.
CG. gen!Eldorado (FPROT) - PWS:
Win32/Lolyda. AH (MS(OneCare)) - Trojan.
PWS. Wsgame. 11671 (DrWeb) - Trojan.
PWS. Wsgame. 11205 (DrWeb) - Win32/PSW.
OnLineGames. NUA trojan (Nod32) - Trojan.
Generic. 1610461 (BitDef7) - Trojan.
PWS. OnlineGames. KBXA (BitDef7) - Trojan.
DR. OnlineGames. Gen. 120 (VirusBuster) - Win32:
Trojan-gen (AVAST) - Win32:
OnLineGames-FJP [Trj] (AVAST) - Virus.
Win32. OnLineGames (Ikarus) - Trojan-Dropper.
Win32. Comotor (Ikarus) - PSW.
OnlineGames3. BBC (AVG) - PSW.
Generic7. CXY (AVG) - W32/OnLineGames.
IWQN (Norman) - W32/OnLineGames.
IWRP (Norman) - Trojan-GameThief.
Win32. OnLineGames. uvpy [AVP] (FSecure) - TROJ_GAMETHI.
EMR (TrendMicro) - Trojan.
Win32. Generic!BT (Sunbelt) - Trojan.
DR. OnlineGames. Gen. 120 (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.