Trojan.PWS.Onlinegames.KBTP( PWS:Win32/Frethog.C, TR/PWS.Magania.avc Trojan.PWS.Wsgame )
SYMPTOMS: - some antivirus solutions are unable to perform updates;- some of the files mentioned in the technical description are present in the specified locations; TECHNICAL DESCRIPTION: Password stealer targeting online games like MapleStroy, AgeOfConnan, Metin2When is launched it drops %system%\drivers\klif.sys which will be registered as service: HKLM\SYSTEM\CurrentControlService\Services\KAVsys. Loading this driver will hide the entries from registry and dropped files. Will inject after in all running processes the dropped %system%"\nmdfgds0.dll in order to monitor keyboard's and mouse's inputs. Copies itself in "C:\random_name.cmd and to be lunched when the partition is accessed from Explorer creates an obfuscated C:\autorun.inf. Another copy is created as %system%\olhrwef.exe Tries to download the file "http://hjyuw2.com/[removed]/help1..rar" - empty at the moment of description Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Ovidiu Visoiu, virus researcher |
