English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-GameThief.Win32.OnLineGames.xfck

Detected Oct 10 2010 05:00 GMT
Released Oct 10 2010 12:41 GMT
Published Mar 22 2011 08:48 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan belongs to the family of Trojans that steals passwords from online gaming user account records. It is a Windows application (PE DLL file). It is 36 865 bytes in size. It is written in C++.


Payload

This Trojan library is designed to steal passwords from user accounts for the game "World of Warcraft". To do so, the library is injected into the address space of the process "wow.exe", after which a window with the class name "GxWindowClassD3d" and the heading "World of Warcraft" appears in the system. From this window, it steals the information that the user enters to access the online game. The information collected is passed in the form of settings to the following URL:

http://w.per***exe.com:888/houmen/wow.asp
The library exports a function named "AR", which when called up creates the system registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"dnheds" = "RUNDLL32.EXE <full path to original Trojan file>,w"
Thereby, each time the system starts, the system utility "RUNDLL32.EXE" will call up the function named "w" from the Trojan library.

When the exported function "w" is called up, it carries out the following actions:

  • The body of the Trojan is copied to the file:
    <Path>\msvcr70.dll
    The value of the substring "<Path>" is read from the system registry key:
    [HKLM\Software\Blizzard Entertainment\World of Warcraft]
    "GamePath"
    
  • In the file
    <Path>\wow.exe
    a section named ".ngaut" is written, which contains code to inject the library "<Path>\msvcr70.dll" into the address space of this process. Thus, the entry point of "wow.exe" changes and points to the code in the written section.
  • A hook procedure is implemented, allowing the malware to track messages in the system queue.
  • The following system registry key is created:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "dnheds" = "RUNDLL32.EXE <full path to original Trojan file>,w"
    


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Terminate the process "wow.exe".
  2. Restore the original content of the file:
    <Path>\wow.exe
  3. Delete the following files:
    <Path>\msvcr70.dll
  4. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  5. Delete the following system registry key (see What is a system registry and how do I use it?):
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "dnheds" = "RUNDLL32.EXE <full path to original Trojan file>,w"
    
  6. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


Bookmark and Share
Share
Trojan-GameThief

This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.


Other versions

Aliases

Trojan-GameThief.Win32.OnLineGames.xfck (Kaspersky Lab) is also known as:

  • Trojan: PWS-OnLineGames.il (McAfee)
  • Mal/Behav-170 (Sophos)
  • PWS:Win32/Frethog.MK (MS(OneCare))
  • Trojan.PWS.Wow.1752 (DrWeb)
  • a variant of Win32/PSW.WOW.NNZ trojan (Nod32)
  • Gen:Trojan.Heur.LP.cu5@a4OzJAn (BitDef7)
  • PSW.Generic8.YSF (AVG)
  • W32/Wow.SAE (Norman)
  • Trojan.PSW.Win32.GameOnlineX.eg (Rising)
  • TSPY_ONLINEG.SMQ (TrendMicro)