English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-GameThief.Win32.OnLineGames.blup

Detected Apr 11 2009 00:58 GMT
Released Apr 11 2009 05:19 GMT
Published Oct 25 2010 07:21 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan belongs to the family of Trojans that steals passwords from online gaming user accounts. It is a Windows application (PE EXE file). It is 15 648 bytes in size. It is packed using UPX. The unpacked file is approximately 214 KB in size. It is written in C++.


Payload

Once launched, the Trojan performs the following actions:

  • For the following files:
    %System%\sfc_os.dll
    %System%\rundll32.exe
    
    the Trojan creates copies, which it saves under the following names respectively:
    %System%\mmsfc1.dll
    %System%\gth60338.exe
    
  • A function in the "mmsfc1.dll" library disables protection for the "ComRes.dll" file in the Windows system directory.
  • It moves the file:
    %System%\ComRes.dll
    into the file called:
    %System%\sysgth.dll
  • It extracts the following files from its body:
    %WinDir%\fOntS\ComRes.dll
    This file is 160 752 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.uvzj.
    %WinDir%\fOntS\gth60338.ttf
    This file is 29 696 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.uwbl.
    %WinDir%\fOntS\gth60338.fon
    This file is 1312 bytes in size.
    %System%\ComRes.dll
    This file is 160 752 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.uvzj.
  • It terminates the following process:
    DNF.exe
  • It launches the following command:
    %System%\gth60338.exe %WinDir%\fOntS\ComRes.dll ins <path_to_original_body_of_trojan>
    which in turn launches the file "ComRes.dll" and calls a function called "ins", which passes the path to the original body of the Trojan as a parameter.


    Removal instructions

    If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

    1. Use Task Manager to terminate the Trojan process.
    2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
    3. Delete the following files:
      %System%\mmsfc1.dll
      %System%\gth60338.exe
      %System%\ComRes.dll
      %WinDir%\fOntS\ComRes.dll
      %WinDir%\fOntS\gth60338.ttf
      %WinDir%\fOntS\gth60338.fon
      
    4. Rename the file:
      %System%\sysgth.dll
      in the file:
      %System%\ComRes.dll
    5. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


    MD5: BBD63347DEFE78335BA943A3D0AC4980
    SHA1: ADACC83C5BC638791B8783359D082FA30C1FF4C3


Bookmark and Share
Share
Trojan-GameThief

This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.


Other versions

Aliases

Trojan-GameThief.Win32.OnLineGames.blup (Kaspersky Lab) is also known as:

  • Trojan: PWS-OnlineGames.ed (McAfee)
  • Mal/Comot-A (Sophos)
  • Generic Trojan (Panda)
  • W32/OnlineGames.CG.gen!Eldorado (FPROT)
  • PWS:Win32/Lolyda.AH (MS(OneCare))
  • Trojan.PWS.Wsgame.11209 (DrWeb)
  • Win32/PSW.OnLineGames.NUA trojan (Nod32)
  • Trojan.PWS.OnlineGames.KBXA (BitDef7)
  • Trojan.DR.OnlineGames.Gen.120 (VirusBuster)
  • Win32:Trojan-gen (AVAST)
  • Virus.Win32.OnLineGames (Ikarus)
  • PSW.OnlineGames3.BCB (AVG)
  • TR/Spy.Gen2 (AVIRA)
  • Trojan Horse (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan-PSW:W32/OnlineGames.gen!B [FSE] (FSecure)
  • Trojan.Win32.Generic!BT (Sunbelt)
  • Trojan.DR.OnlineGames.Gen.120 (VirusBusterBeta)