(Trojan.PWS.Wsgame.19083, Win32/Frethog.GIO, PWS.OnlineGames3.AELK)
The size of %SysDir%\ksuser.dll increases from 4096 bytes to 8480 bytes.
Presence of the file: %SysDir%\TMP1.tmp, which is the copy of the original ksuser.dll.
Presence of several pictures in %SysDir%\dllcache\ containing screenshots about the desktop and applications like Internet Explorer or Windows Picture and Fax Viewer.
Please let BitDefender disinfect your files.
Andrea Takacs, virus researcher
When executed it will perform the following actions:
Stops and deletes the cryptsvc (Microsoft's cryptographic service) service, so the system won't be able to verify the digital signatures or integrity of files. Windows Update and Windows File Protection will also be unable to work without this service.
Saves the original %SysDir%\ksuser.dll into %SysDir%\sksuser.dll and copies his own dll into %SysDir%\ksuser.dll.
It will search for game installation directories on every FAT32 or NTFS partition. It will search through running processes, processes with the name ending in game.exe. It will enumerate the content of the SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths registry key to retrieve the paths of executables with the name containing the string game.exe. Then it drops his own ksuser.dll in the found directories to be loaded when the game starts.
The infected ksuser.dll has an overlay of 288 bytes which contains two encrypted links:
The malware will send game information such as username or password to the following url:
It also will take screenshots about the desktop and application windows such as Internet Explorer or Windows Picture and Fax Viewer. The pictures will be saved in %SysDir%\dllcache and will be sent to: http://003.[removed].cn/zhu/post.asp
The trojan deletes itself after the next reboot.