BitDefender Antivirus
Contact Us | My BitDefender

Trojan.PWS.OnlineGames.KCWP

( W32.Gammina.AG; Worm:Win32/Taterf.B )
Spreading: high
Damage: medium
Size: ~100 kbytes
Discovered: 2009 Oct 14

SYMPTOMS:

The following files will be found on an infected computer:
%TEMP%\herss.exe
%TEMP%\cvasds[random_one_digit_number].dll

TECHNICAL DESCRIPTION:

When executed this malware creates a copy of itself under herss.exe and adds this copy at startup using the following registry key:
SoftWare\Microsoft\Windows\CurrentVersion\Run\
Name: cdoosoft
Value: %TEMP%\herss.exe

Next it drops a .dll file in %TEMP% folder under cvasds[random_one_digit_number].dll and injects it in every running process.

This dll is the actual password stealing component. Some of the targeted games are: MapleStory, The Lord Of The Rings Online, Knight Online, Dekaron. The gathered data is sent to many IPs found inside the .dll file.

Both components of the malware are packed using NSAnti packer in order to avoid AV detection.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Dana Stanut, virus researcher
©   2009 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Global Sites | Privacy Policy