Trojan.PWS.OnlineGames.KCWP
HIGH
MEDIUM
~100 kbytes
(W32.Gammina.AG; Worm:Win32/Taterf.B)
Symptoms
The following files will be found on an infected computer:
%TEMP%\herss.exe
%TEMP%\cvasds[random_one_digit_number].dll
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Dana Stanut, virus researcher
Technical Description:
When executed this malware creates a copy of itself under herss.exe and adds this copy at startup using the following registry key:
SoftWare\Microsoft\Windows\CurrentVersion\Run\
Name: cdoosoft
Value: %TEMP%\herss.exe
Next it drops a .dll file in %TEMP% folder under cvasds[random_one_digit_number].dll and injects it in every running process.
This dll is the actual password stealing component. Some of the targeted games are: MapleStory, The Lord Of The Rings Online, Knight Online, Dekaron. The gathered data is sent to many IPs found inside the .dll file.
Both components of the malware are packed using NSAnti packer in order to avoid AV detection.
SHARE
THIS ON