274432 B (exe file) 226893 (dll component)
- presence of %temp%\herss.exe
- presence of %temp%\cvasds0.dll
- presence of c:\autorun.inf, pointing to c:\0qw6vege.exe
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft, pointing to %temp%\herss.exe
Please let BitDefender disinfect your files.
Lutas Andrei Vlad, virus researcher
This is another "classic" online-games password stealer, that shares most of its behavior with the rest of its familly. The following will be performed by this malware upon execution:
- make a fresh copy of itself inside %temp% folder, as herss.exe
- drop its dll component, inside %temp% folder, as cvasds0.dll
- register itself at startup, by adding the registry value:
SoftWare\Microsoft\Windows\CurrentVersion\Run\cdoosoft, which will point to %temp%\herss.exe
- inject the dropped dll (cvasds0.dll) inside running processes.
The DLL is responsabile for making the actual "stealing". After being injected in all running processes, it will create a new copy of the trojan inside the root directory of C: drive, as 0qw6vege.exe, and an autorun.inf file, which will point to 0qw6vege.exe.
It will set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\Checked value to 0, disabling the option of checking "Show hidden files and folders" under Folder Options -> View.
The trojan will also try to bypass GameGuard and HShield protection - software commonly used to prevent cheating or
It will steal sensitive data related to the following online games:
MapleStory, AgeOfConan, The Lord of the Rings Online, Knight Online, Metin 2, FlyFF.