Internet threat level: 1
Home→Descriptions→Trojan-GameThief.Win32.OnLineGames.spth
Trojan-GameThief.Win32.OnLineGames.spth
| Detected | Dec 04 2002 09:09 GMT |
| Released | Aug 11 2008 09:20 GMT |
| Published | Dec 04 2002 09:09 GMT |
Technical Details
This is a polymorpic worm is written in Batch script with the extensions Windows 2000/XP (cmd.exe). The worm contains two parts: polymorphic generator and main body. The polymorphic generator reconstruces the main body on each start of batch file. The worm creates its droppers with the files: SPTH.BAT and C:\MIRC\SATURN.BAT. It also creates the script file C:\MIRC\SCRIPT.INI. The script sends worm dropper (SATURN.BAT) to each user who joins the infected channel. The worm also rewrites batch files into WINDOWS directory. The worm contains the comments:
----------- BatXP.Saturn ********** by Second Part To Hell -----------
|
I think, you are looking at the code and think: "What the hell is this?"|
The answer is: A Windows XP Batch polymorph virus :D |
WinXP is using a program named CMD.EXE instate of COMMAND.COM for DOS |
You're able to make the really nice things with CMD which you wasn't |
able to do it with COMMAND.COM. |
|
Information about the virus: |
Virusname......................: BatXP.Saturn |
Virusauthor....................: Second Part To Hell |
Size...........................: The poly-engine has 1.301 Bytes |
The whole virus has 4.158 Bytes |
Encrypted......................: Yes, but only the virus part. |
I'll crypt also the poly engine in |
next versions. |
Polymorphic....................: Yes |
|
written from 20.11.2002 to 22.11.2002 |
in Austria |
----------------------------------------------------------------------
Modifications
IRC-Worm.Spth.b
The worm's droppers are: SPISSTOM.BAT, C:\PROGRA~1\MIRC\MIRC.BATThe script file name is: C:\PROGRA~1\MIRC\SCRIPT.INI
IRC-Worm.Spth.c
The worm's droppers are: SPISSTOM.BAT, C:\MIRC\INSTALL.BATThe script file name is: C:\MIRC\SCRIPT.INI
IRC-Worm.Spth.d
The worm's droppers are: DRRA.BAT, C:\PROGRA~1\MIRC\SATURN.BATThe script file name is: C:\PROGRA~1\MIRC\SCRIPT.INI
This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Trojan-GameThief.
- Trojan:
Generic BackDoor (McAfee) - Troj/Canida-Fam (Sophos)
- Backdoor:
Win32/Zonebac. gen!F (MS(OneCare)) - a variant of Win32/Obfuscated.
NBU trojan (Nod32) - Backdoor.
Generic. 84343 (BitDef7) - Win32:
Agent-MJG [Drp] (AVAST) - Backdoor.
Rbot (Ikarus) - Downloader.
Agent. 14. P (AVG) - HEUR/Malware (AVIRA)
- Trojan.
Zonebac (NAV) - Generic BackDoor (NAI)
- BKDR_ZONEBAC.
AV (PCCIL) - BKDR_ZONEBAC.
AV (TrendMicro)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.