Trojan.PWS.OnlineGames.ZNH
Presence of the following CLSID:
{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}
and one or both of the following files: adsntzt.dll , crtdll.dll found in C:\Windows\system32\.
The malware comes bundeled with some cheat utility for games (mostly from
Drops the following : C:\Windows\system32\ adsntzt.dll and C:\Windows\system32\crtdll.dll which will be injected in every running process.
It creates the following CLSID:
{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}
that has the value of the (Defalut) key set to the value “adsntzt.dll”.
This CLSID is then registered in the key registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ .
Another registry with the name of the dll is created in
HKLM\SOFTWARE\Microsoft\Windwos\CurrentVersion\ShellServiceObjectDelayLoad\
that contains the value of the previous CLSID.
Tryes to acces and download the following URL:
http://www.luoshabi.cn/[removed]/linaabc.a
http://xcloud.a141.zgsj.net/[removed]/recv.a
This malware is used to steal user information from online games as hx2game.exe, Silkroad Online, KnightOnline, Lineage, Cabal Online and others.
SHARE
THIS ON