Win32/PSW.OnLineGames [Threat Name] go to Threat

Win32/PSW.OnLineGames.OOW [Threat Variant Name]

Category trojan
Size 20699 B
Detection created Nov 12, 2009
Detection database version 4600
Aliases Trojan-GameThief.Win32.WOW.unh (Kaspersky)
  Infostealer.Gampass (Symantec)
  PWS:Win32/Lolyda.AU (Microsoft)
Short description

Win32/PSW.OnLineGames.OOW is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan creates the following files:

  • %temp%\­~%variable%.~~~ (371200 B)
  • %windir%\­system\­gz29030.ini (1564 B)
  • %windir%\­system\­gz29030.dll (53248 B)

The trojan may create copies of the following files (source, destination):

  • %system%\­rundll32.exe, %system%\­gz29030.exe

The trojan creates copies of the following files (source, destination):

  • %system%\­rpcss.dll, %system%\­gzrpcss.dll

The trojan attempts to replace the following files with a copy of itself:

  • %system%\­rpcss.dll

The trojan loads and injects the "%windir%\system\gz29030.dll" library into the following processes:

  • explorer.exe

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­RpcSs]
    • "ObjectName" = "LocalSystem"
Information stealing

The trojan collects information related to the on-line game World of Warcraft .


The trojan creates and runs a new thread with its own program code within the following processes:

  • wow.exe

The trojan can send the information to a remote machine.


The trojan contains a list of (2) URLs.


The HTTP protocol is used.

Other information

The trojan may create the following files:

  • %WOWfolder%\­temp%variable%.gif

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.