Win32/PSW.Kykymber [Threat Name] go to Threat

Win32/PSW.Kykymber.AA [Threat Variant Name]

Category trojan
Size 24948 B
Aliases Trojan-Dropper.Win32.Vedio.eny (Kaspersky)
  TrojanDropper:Win32/Agent.KA (Microsoft)
  Trojan.Gampass!inf (Symantec)
Short description

The trojan collects information related to the on-line game Woool . The file is run-time compressed using UPX .


When executed the trojan drops in folder %progamfilescommon% the following file:

  • log%random%.ind

A string with variable content is used instead of %random% .

The following files are modified:

  • %system%\­dsound.dll
  • %system%\­dllCache\­dsound.dll

The modified file contains the original program code along with the program code of the infiltration.

The host file is modified in a way that causes the trojan to be executed prior to running the original code.

The trojan creates and runs a new thread with its own program code within the following processes:

  • woool.dat
  • woool88.dat

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects information related to the on-line game Woool .

The trojan attempts to send gathered information to a remote machine.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

Other information

The trojan hooks the following Windows APIs:

  • connect (ws2_32.dll)

It can execute the following operations:

  • capture screenshots
  • terminate running processes
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.