Trojan.Dropper.RWY

( Trojan-PSW.Win32.OnLineGames.adjg Infostealer.Gampass Spy/ONLINEG )
Spreading: medium
Damage: medium
Size: 15,405 bytes
Discovered: 2008 May 05

SYMPTOMS:

Presence of specified files and registry entries.

TECHNICAL DESCRIPTION:

    When started, the malware drops the files spmyaapi.sys and mpmycapi.dll  and creates a copy of itself named simyaapi.exe in %windir%\system32\. Note that these files are hidden. It then loads the new copy and the original file is deleted.

    mpmycapi.dll is registered using the following keys:
  •  HKCR\CLSID\{3629FF4F-ACDB-5C90-A098-FACB3456A263}\InporcServer32\(Default) =   "%windir%\system32\mpmycapi.dll"

  • HKCR\CLSID\{3629FF4F-ACDB-5C90-A098-FACB3456A263}\InporcServer32\ThreadingModel = "Apartment"

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3629FF4F-ACDB-5C90-A098-FACB3456A263} = "mpmycapi.dll"

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3629FF4F-ACDB-5C90-A098-FACB3456A263}\(Default) = "mpmycapi.dll"

    This dll is used to steal account information from players of a mmorpg game. Once loaded into a process, the dll takes one of the following actions (depending on the process name):
  • if the process is named soul.exe it creates a thread which monitors keystrokes to steal information, which is then sent to a specific location on the internet

  • if the process is named play.exe the path of the process is used to delete %process path%\ini\GameSetUp.ini and %process path%\TQAT\*.exe

  • if the process doesn't have one of the above names, it tries to infect other started processes and refreshes the registry entries

    When the malware is ran for the first time simyaapi.exe is used to load the first instance of mpmycapi.dll. Afterwords, it is loaded at starup.

Removal instructions:

    Restart your computer in Safe Mode with Command Prompt. In the command prompt type  del %windir%\system32\mpmycapi.dll
Then you can restart in normal mode and delete the rest of the above mentioned files and registry entries.

ANALYZED BY:

Deac Razvan-Ioan, virus researcher