Win32/PSW.OnLineGames [Threat Name] go to Threat

Win32/PSW.OnLineGames.PVY [Threat Variant Name]

Category trojan
Size 34816 B
Detection created Nov 06, 2011
Detection database version 6606
Aliases PWS:Win32/Lolyda.BF (Microsoft)
  Infostealer.Gampass (Symantec)
Short description

Win32/PSW.OnLineGames.PVY is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan creates the following files:

  • %temp%\­%variable%.dat (35617 B)
  • %system%\­sysapp%variable%.dll (35617 B)

A string with variable content is used instead of %variable% .


The trojan creates copies of the following files (source, destination):

  • %system%\­ksuser.dll, %system%\­YUksuser.dll
  • %system%\­midimap.dll, %system%\­YUmidimap.dll
  • %system%\­comres.dll, %system%\­YUcomres.dll

The following files are modified:

  • %system%\­ksuser.dll
  • %system%\­midimap.dll
  • %system%\­comres.dll
  • %system%\­dllcache\­ksuser.dll
  • %system%\­dllcache\­midimap.dll
  • %system%\­dllcache\­comres.dll
  • %dragonnestgamerootpath%\­ksuser.dll
  • %dragonnestgamerootpath%\­midimap.dll

The trojan executes the following command:

  • %system%\­rundll32.exe %temp%\­%variable%.dat, ServerMain %malwarepath%

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects information related to the following applications:

  • Dragon Nest
  • Microsoft Word
  • Microsoft Excel
  • Microsoft Internet Explorer
  • Microsoft Windows Picture and Fax Viewer
  • Microsoft Paint
  • Microsoft Explorer
  • Google Chrome
  • ACD Systems ACDSee

The trojan collects the following information:

  • network adapter information

It can execute the following operations:

  • capture screenshots

The trojan attempts to send gathered information to a remote machine.


The trojan contains an URL address. The HTTP protocol is used.

Other information

The following programs are terminated:

  • DragonNest.exe

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • 360Safe.exe
  • 360tray.exe
  • 360sd.exe

The trojan may execute the following commands:

  • net stop cryptsvc
  • sc config cryptsvc start= disabled
  • sc delete cryptsvc

The trojan hooks the following Windows APIs:

  • send (wsock32.dll)
  • recv (wsock32.dll)
  • sendto (wsock32.dll)
  • MessageBoxTimeoutW (user32.dll)
  • KsCreatePin (ksuser.dll)
  • KsCreateTopologyNode (ksuser.dll)
  • KsCreateAllocator (ksuser.dll)
  • DriverProc (midimap.dll)
  • modMessage  (midimap.dll)
  • modmCallback  (midimap.dll)
  • COMResModuleInstance (comres.dll)

The trojan may create the following files:

  • %system%\­lzgCfg.ini
  • %temp%\­SerList.xml
  • %system%\­%variable%_%number%.bmp
  • %system%\­%variable%_%number%.jpg
  • %system%\­%variable%_l%number%.bmp
  • %system%\­%variable%_l%number%.jpg

A string with variable content is used instead of %variable%, %number% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.