My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.KillAV.RS

LOW
LOW
18KB
(Trojan.PWS.Wsgame.19083, Win32/Frethog.GIO, PWS.OnlineGames3.AELK)

Symptoms

The size of %SysDir%\ksuser.dll increases from 4096 bytes to 8480 bytes.
Presence of the file: %SysDir%\TMP1.tmp, which is the copy of the original ksuser.dll.
Presence of several pictures in %SysDir%\dllcache\ containing screenshots about the desktop and applications like Internet Explorer or Windows Picture and Fax Viewer.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Andrea Takacs, virus researcher

Technical Description:

When executed it will perform the following actions:

Stops and deletes the cryptsvc (Microsoft's cryptographic service) service, so the system won't be able to verify the digital signatures or integrity of files. Windows Update and Windows File Protection will also be unable to work without this service.
    
Saves the original %SysDir%\ksuser.dll into %SysDir%\sksuser.dll and copies his own dll into %SysDir%\ksuser.dll.
    
It will search for game installation directories on every FAT32 or NTFS partition. It will search through running processes, processes with the name ending in game.exe. It will enumerate the content of the SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths registry key to retrieve the paths of executables with the name containing the string game.exe. Then it drops his own ksuser.dll in the found directories to be loaded when the game starts.
    
The infected ksuser.dll has an overlay of 288 bytes which contains two encrypted links:
        http://003[removed].cn/zhu/post.asp   
        http://003[removed].cn/008/post.asp
        
The malware will send game information such as username or password to the following url:
        http://003.[removed].cn/zhu/mibao.asp
        
It also will take screenshots about the desktop and application windows such as Internet Explorer or Windows Picture and Fax Viewer. The pictures will be saved in %SysDir%\dllcache and will be sent to: http://003.[removed].cn/zhu/post.asp
        
The trojan deletes itself after the next reboot.