My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.PWS.OnlineGames.KDKC

LOW
LOW
420KB
(Trojan-GameThief.Win32.Magania.dihe, Trojan.PWS.Gamania.24496, Win32:OnLineGames-FTA)

Symptoms

The presence of the following hidden files:
        "%windir%\system32\post[number].dll"
        "%windir%\system32\post.exe"
        "autorun.inf", "hvoxmq.exe" (in the root directory of the infected drives)

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Bogdan Sachelarie, virus researcher

Technical Description:

    This malware belongs to the widespread "OnlineGames" password stealer family. When run, it creates an "autorun.inf" file in the root directory of every drive detected, which points to a hidden copy of the virus named "hvoxmq.exe". If the drive is shared across the network then other remote computers can be infected any time they try to access this share.

    It also copies itself in "%windir%\system32\" as "post.exe", where it drops a dll under the name "post[number].dll". The dll is injected in the memory space of "explorer.exe", after which the dll is loaded in other processes. A component of the dll tries to steal passwords, by keylogging, from games like "Maplestory", "Gash", "Lineage", "Goodluck", and sends the data to some previously known ip addresses. It also tries to disrupt the activity of some local antivirus monitors or antivirus updaters.
    
    The malware also modifies the following registry entries:

  • "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\postos"->"%WINDIR%\system32\post.exe", which will run the malware on every system startup
  • "HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL"->"0",which makes Windows Explorer stop showing hidden files

    The persistence of the virus is assured by the loaded dll, as well as the "autorun.inf" files, and by the autorun registry entry.