My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.PWS.OnlineGames.AABK

MEDIUM
MEDIUM
10.8KB
(Trojan-GameThief.Win32.OnLineGames.toyp, Trj/Lineage.JZV, TROJ_ZLOB.BCK, PWS-Mmorpg.gen trojan, Spy/OnLineGames )

Symptoms

If you have the following files on your computer, you are infected:

%windir%\system32\srpcss.dll
%windir%\system32\sys05020.add
%windir%\system32\sys05020.dll   (size 24,5KB)
%windir%\system32\gdipro.dll     (size 35,5KB)

where %windir% denotes C:\Windows or C:\WINNT, depending on the operating system

Removal instructions:

- Restore the original rpcss.dll by renaming %windir%\system32\srpcss.dll to %windir%\system32\rpcss.dll and delete the other malware files (%windir%\system32\sys05020.add, %windir%\system32\sys05020.dll, %windir%\system32\gdipro.dll)
or
- Let BitDefender delete the infected files and rename  %windir%\system32\srpcss.dll to %windir%\system32\rpcss.dll.

Analyzed By

Boeriu Laura, virus researcher

Technical Description:

   First of all, the malware deletes the copies of  %windir%system32\rpcss.dll (a Windows file) from
        %windir%\system32\dllcache\rpcss.dll  and
       %windir%\servicepackfiles\i386\rpcss.dll in order to avoid the possibility of the operating system to restore this file.
   However, a copy of the original rpcss.dll will be held in %windir%\system32\srpcss.dll which will be loaded and will be used whenever the functions from this .dll are needed.
   Afterwards, the malware will overwrite the legitimate file %windir%\system32\rpcss.dll with a .dll contained in its body, a .dll also dropped to %windir%\system32\gdipro.dll.
 
   At this point, %windir%\system32\rpcss.dll will contain undesired code that will be loaded at every system startup, as it is used (and loaded) by the svchost.exe process.
   Rpcss.dll has the same exported functions as sprcss.dll, in each of them redirecting the execution to the corresponding function from srpcss.dll. The main negative action is performed at load time and it is the creation of a remote thread in csrss.exe (or explorer.exe) that will execute code from %windir%\system32\sys05020.dll, another file dropped by the malware.  
    
  This sys05020.dll will try to collect sensitive data sent while connecting to some online-gaming sites or to block access to other such sites.

  After all the above malware files were dropped and run/loaded, the original trojan will be deleted.