Trojan.PWS.OnlineGames.KBXS
MEDIUM
MEDIUM
~12 kbytes
(PWS:win32/Lolyda.AD; Trojan-GameThief.Win32.OnLineGames.uwvj)
Symptoms
The following files will be present on an infected computer:
%Windows%\fOntS\comres.dll
%Windows%\fOntS\GTH60366.fon
%Windows%\fOntS\GTH60366.ttf
%System%\comres.dll
%System%\GTH60366.exe - copy of rundll32.exe
%System%\mmsfc1.dll - copy of mmsfc1.dll
%System%\sysGTH.dll - original comres.dll
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Dana Stanut, virus researcher
Technical Description:
This detection stands for the dll component responsible for monitoring user's activity of an online games password stealer.
When the dropper of this file is executed it will first make a copy of %System%\sfc_os.dll and name it %System%\mmsfc1.dll in order to bypass windows file protection when overwriting %System%\comres.dll with its malicious .dll file. The original comres.dll file will be saved under sysGTH.dll in the same folder. A copy of the malicious .dll file will be created also in %Windows%\fOntS\ folder. This component will be loaded in every running processes and will monitor user's activity as keystrokes and mouse gestures in order to steal sensitive information related to different online games or messenger accounts. The targeted programs are: QQ Login, Dungeon and Fighter, Tenio.
The component responsible with sending the gathered information to the malware author will be dropped in %Windows%\fOntS\ folder under GTH60366.ttf (detected as Trojan.PWS.OnlineGames.KBXJ).
The information (as username, password, server, money, goldCoin, equipment, level and others) will be sent to the following addresses:
http://www.wg210.com/mail.asp
http://www.wg210.com/mibao.asp
http://1.qq594358080.cn/kanxin/004/mail.asp
SHARE
THIS ON