Win32/PSW.OnLineGames [Threat Name] go to Threat

Win32/PSW.OnLineGames.NLE [Threat Variant Name]

Category trojan
Size 117104 B
Detection created Jan 09, 2008
Detection database version 2776
Aliases Trojan-PSW.Win32.OnLineGames.obb (Kaspersky)
  Infostealer.Gampass (Symantec)
  New.Malware.hz (McAfee)
Short description

Win32/PSW.OnLineGames.NLE is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan copies itself into the folder:

  • %system%

with the following file names:

  • kavo.exe (117104 B)

The following file is dropped in the same folder:

  • kavo0.dll (96768)

Libraries with the following names are injected into all running processes:

  • kavo0.dll

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "kava" = "%system%\­kavo.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun" = 145
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0
Spreading

The trojan copies itself into the root folders of fixed and/or removable drives using the following name:

  • f.cmd

The following file is dropped in the same folder:

  • autorun.inf

Thus, the trojan ensures it is started each time infected media is inserted into the computer.

Information stealing

The trojan collects various information related to online computer games.


The trojan gathers information related to the following processes:

  • dekaron.exe
  • elementclient.exe
  • gc.exe
  • ge.exe
  • hyo.exe
  • maplestory.exe
  • Online6.dat
  • Ragexe.exe
  • so3d.exe
  • sro_client.exe
  • wsm.exe
  • ybclient.exe
  • zhengtu.dat

The trojan is able to log keystrokes.


The trojan can send the information to a remote machine.


The HTTP protocol is used.


Other information

The trojan can download and execute a file from the Internet.


The trojan contains a list of (13) URLs.


The trojan interferes with the operation of some security applications to avoid detection.


It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.