My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Worm.Generic.95776

LOW
MEDIUM
Variable

Symptoms

- presence of the following files in %temp%: cvasds0.dll and herss.exe, both hidden
- presence of the following files in root directory of the system drive: autorun.inf file pointing to
  wcgswa.exe (both hidden)
- presence of the registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdooosoft, pointing to %temp%\herss.exe

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This malwares purpose is to steal information regarding online games. When executed, it will perform the following modifications:

FILES

- copy itself inside %temp% folder, as herss.exe, and drop a .dll file, named cvasds0.dll, in the same directory, both hidden
- the dropped .dll file, once loaded inside explorer.exe, will make an additional copy of the executable file inside root directory of the system drive, as wcgswa.exe, and will create an autorun.inf file pointing to it

REGISTRY

- will register itself at startup by adding the key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdooosoft pointing to  %temp%\herss.exe
- will set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\Checked value to 0, disabling the option of chcking "Show hidden files and folders" under Folder Options -> View

PROCESSES

The initial process of the malware will only copy itself and drop the .dll file inside %temp% folder and inject it inside explorer.exe. The .dll file will perform the rest of the modifications (registry and autorun modifications).

PASSWORD STEALING

The injected .dll will begin its quest to gather sensitive information regarding several online games: Metin2, FlyFF, Maple Story, Age of Conan, Knight Online
The malware contains a huge list of IP addresses where the stolen data will be sent.

Note: %temp% is a variable that reffers to the temp folder (usually x:\documents and settings\[user-name]\Local Settings\temp, where x is the system drive)