Internet threat level: 1
Home→Descriptions→Trojan-GameThief.Win32.OnLineGames.xfck
Trojan-GameThief.Win32.OnLineGames.xfck
| Detected | Oct 10 2010 05:00 GMT |
| Released | Oct 10 2010 12:41 GMT |
| Published | Mar 22 2011 08:48 GMT |
Payload
Removal instructions
Technical Details
This Trojan belongs to the family of Trojans that steals passwords from online gaming user account records. It is a Windows application (PE DLL file). It is 36 865 bytes in size. It is written in C++.
Payload
This Trojan library is designed to steal passwords from user accounts for the game "World of Warcraft". To do so, the library is injected into the address space of the process "wow.exe", after which a window with the class name "GxWindowClassD3d" and the heading "World of Warcraft" appears in the system. From this window, it steals the information that the user enters to access the online game. The information collected is passed in the form of settings to the following URL:
http://w.per***exe.com:888/houmen/wow.aspThe library exports a function named "AR", which when called up creates the system registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "dnheds" = "RUNDLL32.EXE <full path to original Trojan file>,w"Thereby, each time the system starts, the system utility "RUNDLL32.EXE" will call up the function named "w" from the Trojan library.
When the exported function "w" is called up, it carries out the following actions:
- The body of the Trojan is copied to the file:
<Path>\msvcr70.dll
The value of the substring "<Path>" is read from the system registry key:[HKLM\Software\Blizzard Entertainment\World of Warcraft] "GamePath"
- In the file
<Path>\wow.exe
a section named ".ngaut" is written, which contains code to inject the library "<Path>\msvcr70.dll" into the address space of this process. Thus, the entry point of "wow.exe" changes and points to the code in the written section. - A hook procedure is implemented, allowing the malware to track messages in the system queue.
- The following system registry key is created:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "dnheds" = "RUNDLL32.EXE <full path to original Trojan file>,w"
Removal instructions
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Terminate the process "wow.exe".
- Restore the original content of the file:
<Path>\wow.exe
- Delete the following files:
<Path>\msvcr70.dll
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following system registry key (see What is a system registry and how do I use it?):
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "dnheds" = "RUNDLL32.EXE <full path to original Trojan file>,w"
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Trojan-GameThief.
- Trojan:
PWS-OnLineGames. il (McAfee) - Mal/Behav-170 (Sophos)
- PWS:
Win32/Frethog. MK (MS(OneCare)) - Trojan.
PWS. Wow. 1752 (DrWeb) - a variant of Win32/PSW.
WOW. NNZ trojan (Nod32) - Gen:
Trojan. Heur. LP. cu5@a4OzJAn (BitDef7) - PSW.
Generic8. YSF (AVG) - W32/Wow.
SAE (Norman) - Trojan.
PSW. Win32. GameOnlineX. eg (Rising) - TSPY_ONLINEG.
SMQ (TrendMicro)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.