Trojan.PWS.Onlinegames.KDDS

SYMPTOMS:

- presence of the following hidden files in temp folder: cvasds0.dll and herss.exe - presence of the following hidden files in root of the system drive: autorun.inf, bveijo.exe - presence of the registry key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\herss,

TECHNICAL DESCRIPTION:

This malware purpose is to steal information about online games. When executed it copies itself to temp folder as herss.exe and drops a file named cvasds0.dll in the same folder, both hidden. The .dll file will then be injected into memory of explorer.exe and execution will continue from there. The injected dll is responsible for the following actions: - It will make an additional copy of the executable file inside root directory of the system drive, as bveijo.exe, and will create an autorun.inf file pointing to it. -It will register the executable file at startup by adding the key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\herss pointing to …\temp\herss.exe -It will uncheck the option "Show hidden files and folders" under Folder Options -> View by modifying the registry -It will disable the Regedit tool The injected dll will begin to steal passwords regarding several online games: MapleStory, Metin2, Knight Online, Silkroad The propagation of the malware is assured by a periodically creation of the autorun.inf and associated executable files in the root folder of the local partitions and removable drives.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Prelipcean Bogdan, virus researcher