Win32/PSW.OnLineGames [Threat Name] go to Threat

Win32/PSW.OnLineGames.OUM [Threat Variant Name]

Category trojan
Size 100352 B
Detection created Mar 25, 2010
Detection database version 4973
Aliases Trojan-GameThief.Win32.Magania.ddct (Kaspersky)
  Worm:Win32/Taterf.DL (Microsoft)
  W32/Taterf.B!Generic (F-Prot)
Short description

Win32/PSW.OnLineGames.OUM is a trojan which tries to download other malware from the Internet. The trojan interferes with the operation of some security applications to avoid detection. The trojan is probably a part of other malware.

Installation

The trojan does not create any copies of itself.


The following file is dropped into the %system% folder:

  • softqq0.dll (64512 B)

The following Registry entries are created:

  • [HKEY_CLASSES_ROOT\­CLSID\­{B03A4BE6-5E5A-B9B3-483E-C484D4B20B72}]
    • "VcbitExeModuleName" = "%malwarepath%"
    • "VcbitDllModuleName" = "%system%\­softqq0.dll"
    • "VcbitSobjEventName" = "CVBASDDOOPADSAMN_0"
  • [HKEY_CLASSES_ROOT\­CLSID\­{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}\­InprocServer32]
    • "(Default)" = "%system%\­softqq0.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­ShellExecuteHooks]
    • "{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}" = "hook dll rising"
  • [HKEY_CLASSES_ROOT\­CLSID\­NOD32KVBIT]
    • "KVBIT_1"
    • "KVBIT_2"
Other information

The trojan interferes with the operation of some security applications to avoid detection.


The following files are modified:

  • SUpdate.exe
  • autoup.exe
  • luall.exe
  • avast.setup
  • setup.ovr
  • updater.dll
  • eguiEpfw.dll
  • eguiEmon.dll
  • ekrnEpfw.dll
  • ekrnEmon.dll
  • prupdate.ppl
  • SfFnUp.exe
  • UfUpdUi.exe
  • preupd.exe
  • update.exe
  • vsupdate.dll
  • avgupd.exe
  • avgupd.exe
  • setup.ovr
  • avast.setup
  • VisthUpd.exe
  • %system%\­drivers\­klif.sys
  • %system%\­drivers\­cdaudio.sys

The trojan may create copies of the following files (source, destination):

  • %windir%\­notepad.exe, %windir%\­AhnRpta.exe

The trojan may delete the following files:

  • Update.exe
  • AYUpdate.aye
  • mcupdate.exe

The trojan may create the following files:

  • c:\­%variable%.vcd

A string with variable content is used instead of %variable% .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­ESET\­ESET Security\­CurrentVersion\­Plugins\­01000200\­Profiles\­@My profile\­UrlSets\­Node_00000000]
    • "Masks" = "%value%"

A string with variable content is used instead of %value% .


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The trojan can download and execute a file from the Internet. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.