My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


(Infostealer.Gamepass Trojan-GameThief.Win32.OnlineGames.tubd Win32:OnlineGames-FAK)


- presence of the files and registry entries mentioned below;
- computer slow downs

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

George Cabau, virus researcher

Technical Description:

This trojan is used to steal sensible information from games.

At every run the malware drops in %USERPROFILE%\Local Settings\Temp a clean application named rxcf-green.exe and a malware file named xq.exe and runs both of them.

The malware (xq.exe) creates a malware dll named [random].dll in %WINDIR%\System32 and registers it in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\[random].dll ->{F0930A2F-D971-2828-8209-B7DF266ED44} and HKLM\SOFTWARE\Microsoft\Windows\Explorer\ShellExecuteHooks\{F0930A2F-D971-2828-8209-B7DF266ED44}->null, where [random].dll is in all cases the same name.

The created dll file has a random 8 char name, different size and a different overlay every time. It's injected into the memory space of explorer.exe and every other application who has explorer.exe as parent.

After that, xq.exe will use the bat self-delete method to delete itself from the disk by creating a new .bat file in the %USERPROFILE%\Local Settings\Temp folder.