My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus




The existence of the dsoqq.exe and dsoqq0.dll files and the autorun entry of dsoqq.exe.
The system creates autorun files on all drives and it might be slowed down slightly.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Voicu Hodrea, virus researcher

Technical Description:

This is a trojan horse that steals private information, specifically login information for a number of
online games (see list below).

The malware moves itself at the location: <user's documents and settings>\Local Settings\Temp\dsoqq.exe. Sets an autorun of the copy by adding a value called "dso32" in the registry key

It also drops a '.dll' file called dsoqq0.dll at the same location as dsoqq.exe.

The malware also starts executing code through the explorer.exe process (the dll is created by explorer.exe). Explorer will create every minute or so on all drives an autorun.inf file pointing to an exe with a random name (e.g. bu8.exe) which is another copy of the malware. This will allow the malware to be distributed through removable drives.

The code running in explorer will also load the .dll file created when an application is run by the user. That .dll will be used to spy on the application of the user and if it detects one of the online games it will wait for the user to input his/her credentials and send them to the malware's creator. It will also try to bypass some antihack tools used with these games like HShield.

The full list of targeted games is:

  • Maple Story
  • Cabal Online
  • Metin2
  • Dungeon fighter
  • Dofus (it recognizes the game by searching for known server, NPC or items' names like: Crocoburio, Lily, Hecate, Ruliet, Vil Smisse, etc.)
  • Flyff (again, searches for keywords like Clockworks, Glaphan, Mushpoie, etc.)
  • Aion Online
  • Last Chaos
  • Knight Online
  • Silk Road Online
  • 2moons
  • Dekaron
  • Lineage 2
  • World of Warcraft
  • Seal Online.