Trojan.PWS.OnlineGames.KCWV( Trojan-GameThief.Win32.Magania.bwsr, PWS:Win32/Lolyda.AT, W32/OnlineGames.BWA!tr.pws, Infostealer.Gampass )
SYMPTOMS: The presence of a randomly named file having the extension “.Ttf” in “%WINDIR%\Downloaded programs files” directory.TECHNICAL DESCRIPTION: The malware creates a configuration file named [random].Ttf in “%WINDIR%\Downloaded Programs Files” and a dll file in “%WINDIR%\system32” directory named “CWcQnWxHjWqtE6PsYyEe.inf”. After this it creates a new registry entry, HKLM\SOFTWARE\Classes\CLSID\{CB661471-055A-4C5B-9ED0-497B9908FEF5}\InprocServer32(default) -> C:\WINDOWS\system32\CWcQnWxHjWqtE6PsYyEe.inf (the CLSID and the .inf file name may vary). It will also register itself as an explorer ShellExecuteHook by creating HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {CB661471-055A-4C5B-9ED0-497B9908FEF5} -> null. It also tries to delete “%WINDIR%\system32\verclsid.exe” and at the end of its execution it will delete itself from the disk to remove any traces of its presence. It has the ability to take screenshots from time to time and to record sensible data for sending them together with user name, password or other details about the affected users to a malware server. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: George Cabau, virus researcher |
