Win32/PSW.Maran [Threat Name] go to Threat

Win32/PSW.Maran.CZ [Threat Variant Name]

Category trojan
Size 48599 B
Detection created Mar 14, 2007
Detection database version 2115
Aliases TrojanSpy:Win32/Maran.AT (Microsoft)
  Infostealer.Okarag (Symantec)
Short description

The trojan collects various information related to online computer games. The trojan can send the information to a remote machine.


When executed, the trojan creates the following files:

  • %windir%\­svchost.exe
  • %system%\­tj3viewer.dll

The trojan registers itself as a system service using the following name:

  • ADIDown

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­ADIDown]
    • "Type" = 16
    • "Start" = 2
    • "ImagePath" = "%windir%\­svchost.exe"
    • "DisplayName" = "Power Adapter"
    • "ObjectName" = "LocalSystem"

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/PSW.Maran.CZ is a trojan that steals account names and passwords for the following online games:

  • Ragnarok Online
  • Lineage I

The trojan can send the information to a remote machine.

Other information

The trojan contains an URL address.

It tries to download several files from the address.

These are stored in the following locations:

  • %system%\­
  • %system%\­delmeml.bat
  • %system%\­xxxxx.bat

The HTTP protocol is used.

The files are then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.