Internet threat level: 1
Home→Descriptions→Trojan-GameThief.Win32.OnLineGames.blup
Trojan-GameThief.Win32.OnLineGames.blup
| Detected | Apr 11 2009 00:58 GMT |
| Released | Apr 11 2009 05:19 GMT |
| Published | Oct 25 2010 07:21 GMT |
Payload
Removal instructions
Technical Details
This Trojan belongs to the family of Trojans that steals passwords from online gaming user accounts. It is a Windows application (PE EXE file). It is 15 648 bytes in size. It is packed using UPX. The unpacked file is approximately 214 KB in size. It is written in C++.
Payload
Once launched, the Trojan performs the following actions:
- For the following files:
%System%\sfc_os.dll %System%\rundll32.exe
the Trojan creates copies, which it saves under the following names respectively:%System%\mmsfc1.dll %System%\gth60338.exe
- A function in the "mmsfc1.dll" library disables protection for the "ComRes.dll" file in the Windows system directory.
- It moves the file:
%System%\ComRes.dll
into the file called:%System%\sysgth.dll
- It extracts the following files from its body:
%WinDir%\fOntS\ComRes.dll
This file is 160 752 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.uvzj.%WinDir%\fOntS\gth60338.ttf
This file is 29 696 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.uwbl.%WinDir%\fOntS\gth60338.fon
This file is 1312 bytes in size.%System%\ComRes.dll
This file is 160 752 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.uvzj. - It terminates the following process:
DNF.exe
- It launches the following command:
%System%\gth60338.exe %WinDir%\fOntS\ComRes.dll ins <path_to_original_body_of_trojan>
which in turn launches the file "ComRes.dll" and calls a function called "ins", which passes the path to the original body of the Trojan as a parameter.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following files:
%System%\mmsfc1.dll %System%\gth60338.exe %System%\ComRes.dll %WinDir%\fOntS\ComRes.dll %WinDir%\fOntS\gth60338.ttf %WinDir%\fOntS\gth60338.fon
- Rename the file:
%System%\sysgth.dll
in the file:%System%\ComRes.dll
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
MD5: BBD63347DEFE78335BA943A3D0AC4980
SHA1: ADACC83C5BC638791B8783359D082FA30C1FF4C3
This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Trojan-GameThief.
- Trojan:
PWS-OnlineGames. ed (McAfee) - Mal/Comot-A (Sophos)
- Generic Trojan (Panda)
- W32/OnlineGames.
CG. gen!Eldorado (FPROT) - PWS:
Win32/Lolyda. AH (MS(OneCare)) - Trojan.
PWS. Wsgame. 11209 (DrWeb) - Win32/PSW.
OnLineGames. NUA trojan (Nod32) - Trojan.
PWS. OnlineGames. KBXA (BitDef7) - Trojan.
DR. OnlineGames. Gen. 120 (VirusBuster) - Win32:
Trojan-gen (AVAST) - Virus.
Win32. OnLineGames (Ikarus) - PSW.
OnlineGames3. BCB (AVG) - TR/Spy.
Gen2 (AVIRA) - Trojan Horse (NAV)
- NseCheckFile2() returned 0x00010018 (Norman)
- Trojan-PSW:
W32/OnlineGames. gen!B [FSE] (FSecure) - Trojan.
Win32. Generic!BT (Sunbelt) - Trojan.
DR. OnlineGames. Gen. 120 (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.