My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.PWS.OnlineGemes.RAH

LOW
MEDIUM
20 KB
(PSW.OnlineGames, Trojan.Dropper, Trojan-GameThief.Win32.OnLineGames.sdv, PWS:Win32/Frethog.AD)

Symptoms

Presence of the following hidden files:

%HOMEDRIVE%%HOMEPATH%\Local Settings\Temp\tmp2.tmp

%WINDIR%\system32\msosmhfpXX.dll

%WINDIR%\system32\msosmhfpXX.dat

where XX stands for a number between 00 and 99

Removal instructions:

Clean the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Delete the following files:

%WINDIR%\SYSTEM32\msosmhfpXX.dll

%WINDIR%\SYSTEM32\msosmhfpXX.dat

%HOMEDRIVE%%HOMEPATH%\Local Settings\Temp\tmp2.tmp

Please let BitDefender disinfect your files.

Analyzed By

Tudor Bura, virus researcher

Technical Description:

This malware belongs to the widespread "OnlineGames" password stealer family.

When run, the trojan will perform the following actions:

Drop the files:

%HOMEDRIVE%%HOMEPATH%\Local Settings\Temp\tmp2.tmp - which contains a copy of the virus body

%HOMEDRIVE%%HOMEPATH%\Local Settings\Temp\tmp3.tmp - copy of msosmhfpXX.dll, described next

%WINDIR%\SYSTEM32\msosmhfpXX.dll - a DLL that will be loaded by every process

Will write to the file %WINDIR$\win.ini in order to make an association with the name of the above DLL

Set following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs to the value "msosmhfpXX.dll" to tell Windows to load the DLL for every application. This is used in order to rerun after a restart of the system.

Data collected will be stored in %WINDIR%\SYSTEM32\msosmhfpXX.dat - a data file where the above DLL saves games information.

The Trojan will steal login information from the game Cabal, and maybe others, and sends the data to some previously known ip addresses.

The copied DLL will inject code in all processes.

The trojan will delete its original file.