- presence of %temp%\herss.exe
- presence of %temp%\cvasds0.dll
- presence of bychft.exe inside root directory of every driv
- presence of autorun.inf file, pointing to the file described above
Please let BitDefender disinfect your files.
Lutas Andrei Vlad, virus researcher
This password stealer will perform the following upon execution:
- make a fresh copy of itself inside %temp% folder, as herss.exe
- drop its dll component, inside %temp% folder, as cvasds0.dll
- register itself at startup, by adding the registry value:
SoftWare\Microsoft\Windows\CurrentVersion\Run\cdoosoft, which will point to %temp%\herss.exe
- inject the dropped dll (cvasds0.dll) inside running processes.
The DLL is responsabile for making the actual "stealing". After being injected in all running processes, it will also create new copies of the trojan inside the root directory of every drive, as bychft.exe, and autorun.inf files, which will point to bychft.exe.
It will steal sensitive data related to the following online games: MapleStory, AgeOfConan, The Lord of the Rings Online, Knight Online, Metin 2, FlyFF. The trojan also contains large lists of IP addresses, where the trojan will send the data stolen from the victoms computer.