My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.PWS.OnlineGames.KCPG

LOW
LOW
Variable

Symptoms

- presence of the file gx.bat inside the root directory of every drive
- presence of an autorun.inf file inside the root directory of every drive, pointing to the file described above
- presence of the files %temp%\uret463.exe and %temp%\lhgiyitX.dll (where X can be any number starting with 0), both having hidden attributes
- presence of the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dorfgwe, pointing to %temp%\uret463.exe


Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

When first ran, the trojan will perform the following modifications in the system:
- copy itself inside %temp% directory, as uret463.exe
- drop the dll component inside %temp% directory, as lhgiyitX.dll (where X can be any number starting with 0)
- inject the library inside explorer.exe, and then, in every running process
The dll will perform, in addition, the following:
- make another copy of the trojan inside the root directory of every drive, as gx.bat
- create an autorun.inf file on every drive, pointing to the file described above (will also make sure that autorun feature is enabled on the targeted drives)
- drop a rootkit-driver inside %system%\drivers, as cdaudio.sys (currently detected by BitDefender as Rootkit.OnlineGames.CQ), that is responsabile for hiding malware files (the trojan does drop and registers the service, but it doesn't seem to actually load the driver)
This PWS will steal data regarding online games like: TwelveSky (twelsky2.exe), MapleStory (maplestory.exe), Perfect World (elementclient.exe), WOW (wow.exe) and programs related to the processes coc.exe, fj.exe, ybclient.exe, wsm.exe, gameclient.exe, game.exe.
It will attempt to retreive information from various files (if present on the attacked machine), like wool.dat, Online.dat, aaa.dat, config.wtf and userdata\currentserver.ini. The trojan also contains a large list of IP addresses, where it might send information gathered from the victims computer.