My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.PWS.OnlineGames.KBXS

MEDIUM
MEDIUM
~12 kbytes
(PWS:win32/Lolyda.AD; Trojan-GameThief.Win32.OnLineGames.uwvj)

Symptoms

The following files will be present on an infected computer:
%Windows%\fOntS\comres.dll
%Windows%\fOntS\GTH60366.fon
%Windows%\fOntS\GTH60366.ttf
%System%\comres.dll
%System%\GTH60366.exe - copy of rundll32.exe
%System%\mmsfc1.dll - copy of mmsfc1.dll
%System%\sysGTH.dll - original comres.dll

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

     This detection stands for the dll component responsible for monitoring user's activity of an online games password stealer.
      When the dropper of this file is executed it will first make a copy of %System%\sfc_os.dll and name it %System%\mmsfc1.dll in order to bypass windows file protection when overwriting %System%\comres.dll with its malicious .dll file. The original comres.dll file will be saved under sysGTH.dll in the same folder. A copy of the malicious .dll file will be created also in %Windows%\fOntS\ folder. This component will be loaded in every running processes and will monitor user's activity as keystrokes and mouse gestures in order to steal sensitive information related to different online games or messenger accounts. The targeted programs are: QQ Login, Dungeon and Fighter, Tenio.
     The component responsible with sending the gathered information to the malware author will be dropped in %Windows%\fOntS\ folder under GTH60366.ttf (detected as Trojan.PWS.OnlineGames.KBXJ).
     The information (as username, password, server, money, goldCoin, equipment, level and others) will be sent to the following addresses:
           http://www.wg210.com/mail.asp
           http://www.wg210.com/mibao.asp
           http://1.qq594358080.cn/kanxin/004/mail.asp