My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.PWS.Onlinegames.KDHO

MEDIUM
LOW
110 KB
(Win32/PSW.OnLineGames.OUM, Worm.Win32.Taterf!IK, BScope.Trojan-PSW.AmGames)

Symptoms

The following files will be found on an infected computer:
%TEMP%\dsoqq.exe  (109-110 KB)
%TEMP%\dsoqq[random_digit].dll (70-72 KB)
OR
%TEMP%\nodqq.exe  (110 KB)
%TEMP%\nodqq[random_digit].dll (70 KB)
 

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Robert Szasz, virus researcher

Technical Description:

This is another variant of  the most spread online-games password stealer malware "families" out-there.

When runs this malware creates a copy of itself under the name dsoqq.exe or nodqq.exe and adds this copy at startup by creating one of the
following registry entry:
"HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\dso32"
"HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\nod32"
pointing to the created copy.

Next it drops a dll file with the same name as the malware, dsoqq[random_digit].dll or nodqq[random_digit].dll,  
and injects it in the memory space of explorer.exe, then the original file self deletes.
This dll is actually a password stealing component:

Target games: dungeonfighter, MapleStory, Valhalla, knightonline, dekaron, so3d.

Then the information gathered is sent to many websites controlled by the malware authors.

Both components of the malware are packed with Aspack packer.

The malware spreads over removable devices with an autorun.inf that points to an executable under the name xjb3.exe or qhbfqx.exe.

The malware changes the "Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL" registry key, so that the user
cannot view hidden files from windows explorer.
Changes the "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun" entry too, for turning on autorun.