This malwares purpose is to steal information regarding online games. When executed, it will perform the following modifications:
- copy itself inside %temp% folder, as herss.exe, and drop a .dll file, named cvasds0.dll, in the same directory, both hidden
- the dropped .dll file, once loaded inside explorer.exe, will make an additional copy of the executable file inside root directory of the system drive, as wcgswa.exe, and will create an autorun.inf file pointing to it
- will register itself at startup by adding the key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdooosoft pointing to %temp%\herss.exe
- will set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\Checked value to 0, disabling the option of chcking "Show hidden files and folders" under Folder Options -> View
The initial process of the malware will only copy itself and drop the .dll file inside %temp% folder and inject it inside explorer.exe. The .dll file will perform the rest of the modifications (registry and autorun modifications).
The injected .dll will begin its quest to gather sensitive information regarding several online games: Metin2, FlyFF, Maple Story, Age of Conan, Knight Online
The malware contains a huge list of IP addresses where the stolen data will be sent.
Note: %temp% is a variable that reffers to the temp folder (usually x:\documents and settings\[user-name]\Local Settings\temp, where x is the system drive)