Win32/PSW.OnLineGames [Threat Name] go to Threat

Win32/PSW.OnLineGames.QNW [Threat Variant Name]

Category trojan
Size 42908 B
Detection created Jan 31, 2012
Detection database version 6842
Aliases Trojan-GameThief.Win32.Magania.ggke (Kaspersky)
  Trojan.Gen (Symantec)
Short description

Win32/PSW.OnLineGames.QNW is a trojan that steals sensitive information. The trojan collects information related to the on-line game Counter Strike Online . The trojan attempts to send gathered information to a remote machine. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following files:

  • %systemdrive%\­Program Files\­Common Files\­whh26003.ocx
  • %systemdrive%\­Program Files\­Common Files\­%variable%ce.dll
  • %system%\­whhfd008.ocx

A string with variable content is used instead of %variable% .


The trojan may create copies of the following files (source, destination):

  • %system%\­kernel32.dll, %temp%\­win06%variable%.dll

The trojan executes the following commands:

  • rundll32.exe "%system%\­whhfd008.ocx" pfjieaoidjglkajd
  • rundll32.exe "%systemdrive%\­Program Files\­Common Files\­%variable%ce.dll" m3
  • rundll32.exe "%systemdrive%\­Program Files\­Common Files\­whh26003.ocx" pfjieaoidjglkajd

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Keyboard Layout\­Preload]
    • "1" = "%layout%"
    • "2" = "%defaultlayout%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Keyboard Layouts\­%layout%]
    • "Ime File" = "WHHFD008.OCX"
    • "Layout Text" = "US"
    • "Layout File" = "kbdus.dll"

This causes the trojan to be executed on every system start.

Information stealing

Win32/PSW.OnLineGames.QNW is a trojan that steals sensitive information.


The trojan collects information related to the on-line game Counter Strike Online .


The trojan collects the following information:

  • login name
  • login password

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (5) URLs. The HTTP protocol is used.

Other information

The trojan may create and run a new thread with its own program code within any running process.


The trojan quits immediately if the executable file path contains one of the following strings in its path:

  • dragonnest.exe
  • dnlauncher.exe
  • qqlogin.exe
  • iexplore.exe
  • xcb.dat
  • imeutil.exe
  • sgtool.exe
  • 360safe.exe
  • 360tray.exe
  • sogou*config.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.