Win32/PSW.OnLineGames [Threat Name] go to Threat

Win32/PSW.OnLineGames.PWV [Threat Variant Name]

Category trojan
Size 43932 B
Detection created Nov 24, 2011
Detection database version 6656
Aliases PWS:Win32/OnLineGames.JT (Microsoft)
  Win32/PolyCrypt.dropper (AVG)
Short description

The trojan collects information related to the on-line game Counter Strike Online . The trojan attempts to send gathered information to a remote machine. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following files:

  • %windir%\­system32\­mgt26012.ocx (16896 B)
  • %windir%\­system32\­mgt99018.ocx (60928 B)
  • %windir%\­Fonts\­mgt26012.ttf (412 B)

The trojan creates copies of the following files (source, destination):

  • %windir%\­System32\­rundll32.exe, %wnidir%\­system32\­jahjah26.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The trojan executes the following commands:

  • %windir%\­system32\­jahjah26.exe %windir%\­system32\­mgt26012.ocx pfjaoidjglkajd %malwarefilepath%
  • %windir%\­system32\­jahjah26.exe %windir%\­system32\­mgt99018.ocx pfjieaoidjglkajd

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­ControlSet001\­control\­Keyboard Layouts\­%layout%]
    • "Ime file" = "mgt99018.ocx"
    • "Layout Text" = "US"
    • "Layout File" = "kbdus.dll"
  • [HKEY_CURRENT_USER\­Keyboard Layout\­Preload]
    • "1" = "%layout%"

This causes the trojan to be executed on every application start.


The trojan quits immediately if the executable filename is one of the following:

  • my.exe
  • wow.exe
  • xy2.exe
  • dragonnest.exe
  • dnlauncher.exe
  • qqlogin.exe
  • iexplore.exe
  • xcb.data

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects information related to the on-line game Counter Strike Online .


The following information is collected:

  • login name
  • login password

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (5) URLs. The HTTP protocol is used.

Other information

The trojan terminates processes with any of the following strings in the name:

  • imeutil.exe
  • sgtool.exe
  • 360safe.exe
  • 360tray.exe
  • config.exe
  • sogou

The trojan may create copies of the following files (source, destination):

  • %windir%\­system32\­kernel32.dll", "%temp%\­win07%random%.dll

A string with variable content is used instead of %radnom% .


The trojan may delete the following files:

  • %counterstrikeonlinerootfolder%\­dsound.dll
  • %counterstrikeonlinerootfolder%\­draw.dll
  • %counterstrikeonlinerootfolder%\­comres.dll
  • %counterstrikeonlinerootfolder%\­kuser.dll
  • %counterstrikeonlinerootfolder%\­midimap.dll

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "SfcDisable" = 1

It may perform the following actions:

  • open a specific URL address
  • send gathered information

If the current system date and time matches certain conditions, trojan deactivates some of its features.

Please enable Javascript to ensure correct displaying of this content and refresh this page.