My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


(W32.Gammima.AG, Win32/PSW.OnLineGames.NNU)


- presence of the files and registry keys from the Technical Description
- antivirus may be out of date

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

George Cabau, virus researcher

Technical Description:

At run, the malware will copy itself under the name “herss.exe” and drop “cvasds[number].exe” in the victim’s %temp% folder, where [number] is usually 0, e.g.: “cvasds0.dll”. After this it injects the dropped dll into the memory space of explorer.exe process, and all the processes which have explorer.exe as parent.

Now, it creates a new entry in the registry at “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” named “cdoosoft” and sets it’s value to “%temp%\herss.exe”, making sure the malware will run each time the computer starts.
The injected dll monitors user activity and steals sensitive data from games like Flyff, Mentin2, Age of Conan, Runewaker, Lord of the Rings Online, Knight Online, WoW, Cabal Online, MapleStory. The stolen information will be sent to different servers. It will also copy “%temp%\herss.exe” under the name “lhh3v.exe” and create an “autorun.inf” file, on every root drive, including removable devices. The “autorun.inf” file will be responsible for running the “lhh3v.exe” when the drive will be open by Explorer, and after the malware will run it’s malicious code, it will open the folder requested by the user.
The injected dll also contains another embedded dll which could disable some antiviruses update services, making the victim vulnerable to other viruses.

A description of a related version of it can be foud here