Trojan.PWS.OnlineGames.KDAT

SYMPTOMS:

- presence of %temp%\herss.exe

- presence of %temp%\cvasds0.dll

- presence of c:\autorun.inf, pointing to c:\0qw6vege.exe

- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft, pointing to %temp%\herss.exe

TECHNICAL DESCRIPTION:

This is another "classic" online-games password stealer, that shares most of its behavior with the rest of its familly. The following will be performed by this malware upon execution:
- make a fresh copy of itself inside %temp% folder, as herss.exe
- drop its dll component, inside %temp% folder, as cvasds0.dll
- register itself at startup, by adding the registry value:
  SoftWare\Microsoft\Windows\CurrentVersion\Run\cdoosoft, which will point to %temp%\herss.exe
- inject the dropped dll (cvasds0.dll) inside running processes.

The DLL is responsabile for making the actual "stealing". After being injected in all running processes, it will create a new copy of the trojan inside the root directory of C: drive, as 0qw6vege.exe, and an autorun.inf file, which will point to 0qw6vege.exe.
It will set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\Checked value to 0, disabling the option of checking "Show hidden files and folders" under Folder Options -> View.
The trojan will also try to bypass GameGuard and HShield protection - software commonly used to prevent cheating or
password stealing.
It will steal sensitive data related to the following online games:
MapleStory, AgeOfConan, The Lord of the Rings Online, Knight Online, Metin 2, FlyFF.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Lutas Andrei Vlad, virus researcher