Trojan.PWS.OnlineGemes.RAH
Presence of the following hidden files:
%HOMEDRIVE%%HOMEPATH%\Local Settings\Temp\tmp2.tmp
%WINDIR%\system32\msosmhfpXX.dll
%WINDIR%\system32\msosmhfpXX.dat
where XX stands for a number between 00 and 99
Clean the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Delete the following files:
%WINDIR%\SYSTEM32\msosmhfpXX.dll
%WINDIR%\SYSTEM32\msosmhfpXX.dat
%HOMEDRIVE%%HOMEPATH%\Local Settings\Temp\tmp2.tmp
Please let BitDefender disinfect your files.
This malware belongs to the widespread "OnlineGames" password stealer family.
When run, the trojan will perform the following actions:
Drop the files:
%HOMEDRIVE%%HOMEPATH%\Local Settings\Temp\tmp2.tmp - which contains a copy of the virus body
%HOMEDRIVE%%HOMEPATH%\Local Settings\Temp\tmp3.tmp - copy of msosmhfpXX.dll, described next
%WINDIR%\SYSTEM32\msosmhfpXX.dll - a DLL that will be loaded by every process
Will write to the file %WINDIR$\win.ini in order to make an association with the name of the above DLL
Set following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs to the value "msosmhfpXX.dll" to tell Windows to load the DLL for every application. This is used in order to rerun after a restart of the system.
Data collected will be stored in %WINDIR%\SYSTEM32\msosmhfpXX.dat - a data file where the above DLL saves games information.
The Trojan will steal login information from the game Cabal, and maybe others, and sends the data to some previously known ip addresses.
The copied DLL will inject code in all processes.
The trojan will delete its original file.
SHARE
THIS ON