Win32/PSW.OnLineGames [Threat Name] go to Threat
Win32/PSW.OnLineGames.OUM [Threat Variant Name]
| Category | trojan |
| Size | 100352 B |
| Aliases | Trojan-GameThief.Win32.Magania.ddct (Kaspersky) |
| Worm:Win32/Taterf.DL (Microsoft) | |
| W32/Taterf.B!Generic (F-Prot) |
Short description
Win32/PSW.OnLineGames.OUM is a trojan which tries to download other malware from the Internet. The trojan interferes with the operation of some security applications to avoid detection. The trojan is probably a part of other malware.
Installation
The trojan does not create any copies of itself.
The following file is dropped into the %system% folder:
- softqq0.dll (64512 B)
The following Registry entries are created:
- [HKEY_CLASSES_ROOT\CLSID\{B03A4BE6-5E5A-B9B3-483E-C484D4B20B72}]
- "VcbitExeModuleName" = "%malwarepath%"
- "VcbitDllModuleName" = "%system%\softqq0.dll"
- "VcbitSobjEventName" = "CVBASDDOOPADSAMN_0"
- [HKEY_CLASSES_ROOT\CLSID\{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}\InprocServer32]
- "(Default)" = "%system%\softqq0.dll"
- "ThreadingModel" = "Apartment"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
- "{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}" = "hook dll rising"
- [HKEY_CLASSES_ROOT\CLSID\NOD32KVBIT]
- "KVBIT_1"
- "KVBIT_2"
Other information
The trojan interferes with the operation of some security applications to avoid detection.
The following files are modified:
- SUpdate.exe
- autoup.exe
- luall.exe
- avast.setup
- setup.ovr
- updater.dll
- eguiEpfw.dll
- eguiEmon.dll
- ekrnEpfw.dll
- ekrnEmon.dll
- prupdate.ppl
- SfFnUp.exe
- UfUpdUi.exe
- preupd.exe
- update.exe
- vsupdate.dll
- avgupd.exe
- avgupd.exe
- setup.ovr
- avast.setup
- VisthUpd.exe
- %system%\drivers\klif.sys
- %system%\drivers\cdaudio.sys
The trojan may create copies of the following files (source, destination):
- %windir%\notepad.exe, %windir%\AhnRpta.exe
The trojan may delete the following files:
- Update.exe
- AYUpdate.aye
- mcupdate.exe
The trojan may create the following files:
- c:\%variable%.vcd
A string with variable content is used instead of %variable% .
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile\UrlSets\Node_00000000]
- "Masks" = "%value%"
A string with variable content is used instead of %value% .
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The trojan can download and execute a file from the Internet. The HTTP protocol is used.