Internet threat level: 1
Home→Descriptions→Trojan-GameThief.Win32.OnLineGames.blyk
Trojan-GameThief.Win32.OnLineGames.blyk
| Detected | Apr 30 2009 08:16 GMT |
| Released | Apr 30 2009 20:02 GMT |
| Published | Oct 25 2010 07:29 GMT |
Payload
Removal instructions
Technical Details
This Trojan belongs to the family of Trojans that steals passwords from online gaming user accounts. It is a Windows application (PE EXE file). It is 16 672 bytes in size. It is packed using UPX. The unpacked file is approximately 293 KB in size. It is written in C++.
Payload
Once launched, the Trojan performs the following actions:
- For the following files:
%System%\sfc_os.dll %System%\rundll32.exe
the Trojan creates copies, which it saves under the following names respectively:%System%\mmsfc1.dll %System%\GTH78380.exe
- A function in the "mmsfc1.dll" library disables protection for the "ComRes.dll" file in the Windows system directory.
- It moves the file:
%System%\ComRes.dll
into the file called:%System%\sysGTH.dll
- It extracts the following files from its body:
%WinDir%\fonts\comres1.ttf
This file is 165 888 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.blyj.%WinDir%\fOntS\GTH78380.ttf
This file is 35 328 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.vcpl.%WinDir%\fOntS\GTH78380.fon
This file is 1312 bytes in size.%System%\ComRes.dll
This file is 165 888 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.blyj. - It terminates the following process:
elementclient.exe
- It launches the following command:
%System%\GTH78380.exe %WinDir%\fOnTs\comres1.ttf dns <path_to_original_body_of_trojan<
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following files:
%System%\mmsfc1.dll %System%\GTH78380.exe %System%\ComRes.dll %WinDir%\fOntS\ComRes1.ttf %WinDir%\fOntS\GTH78380.ttf %WinDir%\fOntS\GTH78380.fon
- Rename the file:
%System%\sysGTH.dll
in the file:%System%\ComRes.dll
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
MD5: E36C2911F30D89FF7A96D0917CED8DD2
SHA1: A14E8D152AC27B5296152D8F34CEACE328F663D9
This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Trojan-GameThief.
- Trojan:
PWS-OnlineGames. eh (McAfee) - Mal/Generic-A (Sophos)
- W32/Heuristic-KPP!Eldorado (FPROT)
- Trojan:
Win32/Meredrop (MS(OneCare)) - Trojan.
PWS. Qqpass. origin (DrWeb) - Trojan.
PWS. Gamania. 18873 (DrWeb) - Trojan.
PWS. Qqpass. 2699 (DrWeb) - Win32/PSW.
OnLineGames. NZM trojan (Nod32) - Trojan.
Win32. Meredrop (Ikarus) - PSW.
OnlineGames3. IKL (AVG) - TR/Hijacker.
Gen (AVIRA) - Infostealer.
Onlinegame (NAV) - Trojan.
PSW. Win32. GameOL. ypx (Rising) - Mal_OLGM-30 (TrendMicro)
- Trojan.
Win32. Generic!BT (Sunbelt)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.