Win32/PSW.OnLineGames [Threat Name] go to Threat

Win32/PSW.OnLineGames.NNT [Threat Variant Name]

Category trojan
Size 107854 B
Aliases Trojan.Win32.Vaklik.ya (Kaspersky)
  W32/Autorun.worm.bx.gen (McAfee)
  Packer.Win32.Mian007.a (Rising)
Short description

Win32/PSW.OnLineGames.NNT is a trojan that steals sensitive information. The trojan can send the information to a remote machine.


When executed, the trojan copies itself into the %system% folder using the following name:

  • mmvo.exe

The following file is dropped in the same folder:

  • mmvo%number%.dll

The following files are dropped into the %temp% folder:

  • uveyg.dll
  • %variable%.sys

A string with variable content is used instead of %variable% .

The variable %number% represents a randomly generated number in the range 0-9 .

Libraries with the following names are injected into all running processes:

  • %system%\­mmvo%number%.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SoftWare\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "mmva" = "%system%\­mmvo.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun" = 91

The trojan copies itself into the root folders of fixed and/or removable drives using the following name:

  • uevr.cmd

The following file is dropped in the same folder:

  • autorun.inf

Thus, the trojan ensures it is started each time infected media is inserted into the computer.

Information stealing

The trojan gathers information related to the following processes:

  • Ragexe.exe
  • lin.bin
  • YPagerj.exe
  • YahooWidgetEngine.exe
  • pol.exe

The trojan is able to log keystrokes.

The trojan can send the information to a remote machine.

The HTTP/HTTPS protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of URLs.

The trojan can download and execute a file from the Internet.

The file is then saved as %temp%\uu.exe and executed.

The trojan interferes with the operation of some security applications to avoid detection.

It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.