My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.PWS.OnlineGames.KCWV

HIGH
MEDIUM
variable
(Trojan-GameThief.Win32.Magania.bwsr, PWS:Win32/Lolyda.AT, W32/OnlineGames.BWA!tr.pws, Infostealer.Gampass)

Symptoms

The presence of a randomly named file having the extension  “.Ttf” in “%WINDIR%\Downloaded programs files” directory.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

George Cabau, virus researcher

Technical Description:

The malware creates a configuration file named [random].Ttf in “%WINDIR%\Downloaded Programs Files” and a dll file  in  “%WINDIR%\system32” directory named “CWcQnWxHjWqtE6PsYyEe.inf”. After this it creates a new registry entry, HKLM\SOFTWARE\Classes\CLSID\{CB661471-055A-4C5B-9ED0-497B9908FEF5}\InprocServer32  
(default) -> C:\WINDOWS\system32\CWcQnWxHjWqtE6PsYyEe.inf (the CLSID and the .inf file name may vary).

It will also register itself as an explorer ShellExecuteHook by creating HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {CB661471-055A-4C5B-9ED0-497B9908FEF5} -> null.

It also tries to delete “%WINDIR%\system32\verclsid.exe” and at the end of its execution it will delete itself from the disk to remove any traces of its presence.

It has the ability to take screenshots from time to time and to record sensible data  for sending them together with user name, password or other details about the affected users to a malware server.