Symptoms
Presence of specified files and registry entries.
Removal instructions:
Restart your computer in Safe Mode with Command Prompt. In the command prompt type del %windir%\system32\mpmycapi.dll
Then you can restart in normal mode and delete the rest of the above mentioned files and registry entries.
Analyzed By
Deac Razvan-Ioan, virus researcher
Technical Description:
When started, the malware drops the files
spmyaapi.sys and
mpmycapi.dll and creates a copy of itself named
simyaapi.exe in
%windir%\system32\. Note that these files are hidden. It then loads the new copy and the original file is deleted.
mpmycapi.dll is registered using the following keys
:
- HKCR\CLSID\{3629FF4F-ACDB-5C90-A098-FACB3456A263}\InporcServer32\(Default) = "%windir%\system32\mpmycapi.dll"
- HKCR\CLSID\{3629FF4F-ACDB-5C90-A098-FACB3456A263}\InporcServer32\ThreadingModel = "Apartment"
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3629FF4F-ACDB-5C90-A098-FACB3456A263} = "mpmycapi.dll"
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3629FF4F-ACDB-5C90-A098-FACB3456A263}\(Default) = "mpmycapi.dll"
This dll is used to steal account information from players of a mmorpg game. Once loaded into a process, the dll takes one of the following actions (depending on the process name):
- if the process is named soul.exe it creates a thread which monitors keystrokes to steal information, which is then sent to a specific location on the internet
- if the process is named play.exe the path of the process is used to delete %process path%\ini\GameSetUp.ini and %process path%\TQAT\*.exe
- if the process doesn't have one of the above names, it tries to infect other started processes and refreshes the registry entries
When the malware is ran for the first time
simyaapi.exe is used to load the first instance of
mpmycapi.dll. Afterwords, it is loaded at starup.
SHARE
THIS ON