My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Dropper.SPO

HIGH
MEDIUM
23,076 bytes
(Infostealer.Gamepass Trojan-GameThief.Win32.OnlineGames.tnfb PWS-Mmorpg.gen)

Symptoms

The presence of the files and registry entries mentioned below;

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Deac Razvan-Ioan, virus researcher

Technical Description:

This trojan is used to steal sensible information regarding a MMORPG (Legend of Mir).

At first run the malware copies itself in %windir%\system32\saw110.exe and creates a registry entry to run this file at startup:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
               nwiz->saw110.exe

    Saw110.exe drops the file saw110.dll which is injected in explorer.exe.

    Loaded as a module in explorer.exe, saw110.dll seeks for processes which have a certain kind of graphical inferface (by looking for window names as TFrmMain or TDXDraw).

     If such a process is found,  saw110.dll injects itself into it and checks for the following file names: mir.exe, mir1.dat, mir2.dat. If one of these names is found the malware tries to steal account information and sends it by http to a remote server.