Worm.Generic.95776
SYMPTOMS: - presence of the following files in %temp%: cvasds0.dll and herss.exe, both hidden- presence of the following files in root directory of the system drive: autorun.inf file pointing to wcgswa.exe (both hidden) - presence of the registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdooosoft, pointing to %temp%\herss.exe TECHNICAL DESCRIPTION: This malwares purpose is to steal information regarding online games. When executed, it will perform the following modifications: FILES - copy itself inside %temp% folder, as herss.exe, and drop a .dll file, named cvasds0.dll, in the same directory, both hidden REGISTRY - will register itself at startup by adding the key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdooosoft pointing to %temp%\herss.exe PROCESSES The initial process of the malware will only copy itself and drop the .dll file inside %temp% folder and inject it inside explorer.exe. The .dll file will perform the rest of the modifications (registry and autorun modifications). PASSWORD STEALING The injected .dll will begin its quest to gather sensitive information regarding several online games: Metin2, FlyFF, Maple Story, Age of Conan, Knight Online Note: %temp% is a variable that reffers to the temp folder (usually x:\documents and settings\[user-name]\Local Settings\temp, where x is the system drive) Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Lutas Andrei Vlad, virus researcher |
