My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.PWS.Onlinegames.KDBI

LOW
MEDIUM
113KB
((OneCare)Win32/Taterf;)

Symptoms

presence of the files and registry key specified in the technical description
unavailability to update some of the security solutions software

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

        In order to hide his actions, when is first run, the trojan will inject its code into the memory of Explorer.exe using low-level methods and a remote thread pointing to this zone will be started. This code (executed by Explorer) will be responsible to inject into all running processes a dll dropped by the trojan (%USERPROFILE%\Local Setings\Temp\cvasd0.dll)
        The injected DLL contains two components. An  online games password stealer (with the targets: KnightOnline, Metin2, AgeOfConan,TheLordOfTheRings,Maple...). Another embedded DLL (ANTIVM.dll) will try to disable some known security solutions usually by stopping the update services modules (Liveserv.exe, vsupdate.exe, Update.exe, AVP.exe, avgupd.exe)
        The code injected in Explorer.exe process will copy itself to  %ROOT%[random_name].exe  and will create an Autorun.inf file pointing to this copy.
        The following registry key is also modified by the malware:       
                   [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
                  "cdoosoft" = "%TEMP%\herss.exe" ,
where the executable is a copy of the malware
        Then the trojan will try to download an updated encrypted version (detected also Trojan.PWS.Onlinegames) from:
                    www.googlem7k.com/[removed]/am.rar
                    www.sinap4k.com/[removed]/am.rar