Trojan.PWS.OnlineGames.KCWV
HIGH
MEDIUM
variable
(Trojan-GameThief.Win32.Magania.bwsr, PWS:Win32/Lolyda.AT, W32/OnlineGames.BWA!tr.pws, Infostealer.Gampass)
Symptoms
The presence of a randomly named file having the extension “.Ttf” in “%WINDIR%\Downloaded programs files” directory.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
George Cabau, virus researcher
Technical Description:
The malware creates a configuration file named [random].Ttf in “%WINDIR%\Downloaded Programs Files” and a dll file in “%WINDIR%\system32” directory named “CWcQnWxHjWqtE6PsYyEe.inf”. After this it creates a new registry entry, HKLM\SOFTWARE\Classes\CLSID\{CB661471-055A-4C5B-9ED0-497B9908FEF5}\InprocServer32
(default) -> C:\WINDOWS\system32\CWcQnWxHjWqtE6PsYyEe.inf (the CLSID and the .inf file name may vary).
It will also register itself as an explorer ShellExecuteHook by creating HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {CB661471-055A-4C5B-9ED0-497B9908FEF5} -> null.
It also tries to delete “%WINDIR%\system32\verclsid.exe” and at the end of its execution it will delete itself from the disk to remove any traces of its presence.
It has the ability to take screenshots from time to time and to record sensible data for sending them together with user name, password or other details about the affected users to a malware server.
SHARE
THIS ON