English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-GameThief.Win32.WOW.el

Detected Sep 26 2006 10:30 GMT
Released Mar 15 2007 10:43 GMT
Published Sep 26 2006 10:30 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan program is designed to steal user passwords to accounts on WoW servers. The Trojan itself is a Windows PE EXE file, written in Delphi and packed using NsPack. The packed file is 136069 bytes in size, and the unpaced file is approximately 316KB in size.

Installation

Once launched, the Trojan creates a DLL file in the C:\ root directory:

c:\nxldr.dat

It then launches this file and calls the "start" function:

When launching, the DLL file copies its executable file to the Windows system directory:

%System32%\KB896425.log

The Trojan creates a service called NetWork Logon in order to ensure that it is automatically run each time Windows is restarted:

[HKLM\System\CurrentControlSet\Services\NetWorkLogon]

Payload

When launching, the DLL file gets a list of processes. It then loads itself to the address space of a process chosen at random from the list, as well as to the processes listed below:

EXPLORER.EXE
IEXPLORE.EXE

where the DLL file will install a hook for the send function of WS2_32.dll which is used to track the user's HTTP requests. For POST requests where the URL contains the following string:

/vk/unblock_deal.php

the Trojan gets the values of the following parameters:

account=
pin=

If the URL contains the string /dologin.php, the Trojan will get the value of the parameters listed below:

loginname=
&password=

For processes called WOW.EXE the Trojan gets the values entered in dialogue boxes, and will also take screenshots of some dialogue boxes.

The Trojan sends the harvested information to the remote malicious user's site.

The Trojan will also delete all links containing the string "the9.com" from the browser cache.


Removal instructions

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how it initially penetrated the victim machine).
  3. Delete the files created by the Trojan:

    %System32%\KB896425.log
    c:\nxldr.dat

  4. Delete the following system registry keys:

    [HKLM\System\CurrentControlSet\Services\NetWorkLogon]

  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Bookmark and Share
Share
Trojan-GameThief

This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.


Other versions

Aliases

Trojan-GameThief.Win32.WOW.el (Kaspersky Lab) is also known as:

  • Trojan-Spy.BAT.CookSteal.el (Kaspersky Lab)
  • Trojan-PSW.Win32.WOW.el (Kaspersky Lab)
  • Trojan: Generic.dx!uwo (McAfee)
  • Mal/EncPk-BW (Sophos)
  • Heuristic.WinPE-Statistical (Panda)
  • W32/Wowcraft.JS (FPROT)
  • VirTool:Win32/Obfuscator.C (MS(OneCare))
  • Trojan.PWS.Gamania.25893 (DrWeb)
  • a variant of Win32/PSW.Legendmir.BCD trojan (Nod32)
  • Generic.PWS.WoW.DE67A241 (BitDef7)
  • Trojan.PWS.WOW!IGNMK20if2o (VirusBuster)
  • Win32:Trojan-gen (AVAST)
  • Trojan-Spy.Win32.Banker.cea (Ikarus)
  • PSW.Generic2.EBO (AVG)
  • Infostealer.Wowcraft.B (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • TSPY_WOW.ED (TrendMicro)
  • Trojan.PWS.WOW!IGNMK20if2o (VirusBusterBeta)