Win32/PSW.OnLineGames [Threat Name] go to Threat

Win32/PSW.OnLineGames.QNB [Threat Variant Name]

Category trojan
Size 38400 B
Detection created Jun 06, 2011
Detection database version 6185
Aliases Trojan-GameThief.Win32.OnLineGames.xwsw (Kaspersky)
  PWS:Win32/OnLineGames.ZDV (Microsoft)
  TSPY_ONLINEG.CJE (TrendMicro)
Short description

The trojan collects various information related to online computer games. The file is run-time compressed using PECompact .

Installation

When executed, the trojan creates the following files:

  • %system%\­win32.dll (98304 B)

The trojan creates copies of the following files (source, destination):

  • %system%\­imm32.dll, %system%\­bakimm32.bin
  • %system%\­imm32.dll, %system%\­imm32.dll%random%.tmp

A string with variable content is used instead of %random% .


The trojan modifies the following file:

  • %system%\­imm32.dll

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%originalvalue%, win32.dll"

This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • %system%\­win32.dll

The trojan can create and run a new thread with its own program code within the following processes:

  • iexplore.exe

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan collects various information related to online computer games.


The trojan collects the following information:

  • login name
  • login password

The trojan gathers information related to the following processes:

  • dnf.exe
  • MapleStory.exe
  • lin.bin
  • ff2client.exe
  • heroes.exe
  • Game.exe
  • ExLauncher.exe
  • TERA.exe
  • OTP
  • AION.bin
  • DarkBlood.exe
  • LOB.exe

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (16) URLs. The HTTP protocol is used.


The trojan hooks the following Windows APIs:

  • InternetReadFile (wininet.dll)
  • HttpWrapSendRequest (wininet.dll)
  • ReadFile (kernel32.dll)
  • MultiByteToWideChar (kernel32.dll)
  • GlobalUnlock (kernel32.dll)
  • send (ws2_32.dll)

The trojan terminates processes with any of the following strings in the name:

  • AYAgent.aye
  • ALYac.aye
  • SystemMon.exe
  • SkyMon.exe
  • nsvmon.npc
  • nvc.npc
  • nvcagent.npc
  • Nsavsvc.npc
  • pcotp.exe

The trojan may create the following files:

  • %system%\­pmangLog.ini
  • %system%\­it1.ini
  • %system%\­AionLog.ini
  • %system%\­FBloodLog.ini
  • %system%\­DarkBloodLog.ini
  • %system%\­GameLog.ini
  • %system%\­FFlog.ini
  • %system%\­TianyLog.ini
  • %system%\­hangame.ini
  • %system%\­MXDLog.ini
  • %system%\­DfLog.ini
  • %system%\­LuoqiLog.ini

Please enable Javascript to ensure correct displaying of this content and refresh this page.