Symptoms

Removal instructions:

Analyzed By

Technical Description:

     This malware belongs to online games password stealer's family.

     It is a UPX packed executable which upon execution will drop a dll file having a random eight small letters name in %SYSTEM% folder. This dll will be injected into the address space of every running process in order to steal information regarding a Chinese onlinegame named Westward Journey OnlineII. It checks whether the process' name it's xy2.exe or xy2_ex.exe and if positive then user's sensitive data will be sent to the malware's author via http post:
     http://dh2.ac[removed].cn/ZONGXXXOUT/post.asp
     http://dh2.ac[removed].cn/GGGZ/xiaochang/post.asp
using the following parameters:
account=%s & password1=%s & password2=%s & passed=%s & specialSign=%s &client=
&area=  & & server=%s & inputsource=%s & levels=%s & name=%s & other=%s & verify=%s

    In order for this dll to be loaded at every system startup the following registry keys will be added:

HKEY_CLASSES_ROOT\CLSID\\InProcServer32
 @ = C:\\WINDOWS\\system32\\.dll

HKEY_CLASSES_ROOT\CLSID\\InProcServer32
  ThreadingModel = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  =

   Then the malware drops a batch file that will be used to delete itself.