The following files will be found on an infected computer:
Please let BitDefender disinfect your files.
Dana Stanut, virus researcher
When executed this malware creates a copy of itself under herss.exe and adds this copy at startup using the following registry key:
Next it drops a .dll file in %TEMP% folder under cvasds[random_one_digit_number].dll and injects it in every running process.
This dll is the actual password stealing component. Some of the targeted games are: MapleStory, The Lord Of The Rings Online, Knight Online, Dekaron. The gathered data is sent to many IPs found inside the .dll file.
Both components of the malware are packed using NSAnti packer in order to avoid AV detection.