Content

PWS-Zhengtu

Type
Trojan
SubType
Password Stealer
Discovery Date
05/01/2006
Length
Varies
Minimum DAT
4752 (05/01/2006)
Updated DAT
6317 (04/15/2011)
Minimum Engine
5.1.00
Description Added
05/01/2006
Description Modified
02/16/2007 8:57 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The trojans collect user's information of Zhengtu , a massively multiplayer online role playing game (MMORPG) in China . It collects game server information from config.ini (server info) as well as login ID, password.

PWS-Zhengtu drops a DLL component into the %Windir%\System32 folder and installs itself into a newly created %Windir%\uninstall folder. The DLL is injected into Windows Explorer (Explorer.exe) and other running processes. Outgoing network connections may be spoofed to appear to be coming from Windows Explorer.

(Where %Windir% is the Windows folder, e.g. C:\Windows)

It may attempt to connect to:

  • http://{blocked}.scriptt.in/{blocked}/zt/get.asp

    Possible filename(s) used by PWS-Zhengtu:

    • run1132.dll
    • rundl132.exe
    • richdll.dll
    • cnscheck100.dll
    • run1132.exe
    • winlog0n.exe

      • It can hook system and application startup by installing the following registry key(s):

      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ ShellExecuteHooks\{CLASSID}
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLASSID}

      {ClassID} may vary in different variants.

      In some variants, the system hosts file may be deleted. This system hosts file is typically installed in the default folder:

      • %Windir%\System32\drivers\etc\hosts


Symptoms

  • Presence of the mentioned file(s) and registry key(s).
  • Outgoing network connections to the mentioned domain(s).

 

Method of Infection

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans such as the W32/HLLP.Philis family of file infector worms.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

 

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Infostealer.Gampass (Symantec)
  • Trojan-PSW.Win32.OnLineGames.es (Kaspersky)
  • Trojan.PSW.OnLineGames.ce (Rising)
  • TSPY_ONLINEGA.KB (TrendMicro)

Characteristics

Characteristics -

The trojans collect user's information of Zhengtu , a massively multiplayer online role playing game (MMORPG) in China . It collects game server information from config.ini (server info) as well as login ID, password.

PWS-Zhengtu drops a DLL component into the %Windir%\System32 folder and installs itself into a newly created %Windir%\uninstall folder. The DLL is injected into Windows Explorer (Explorer.exe) and other running processes. Outgoing network connections may be spoofed to appear to be coming from Windows Explorer.

(Where %Windir% is the Windows folder, e.g. C:\Windows)

It may attempt to connect to:

  • http://{blocked}.scriptt.in/{blocked}/zt/get.asp

    Possible filename(s) used by PWS-Zhengtu:

    • run1132.dll
    • rundl132.exe
    • richdll.dll
    • cnscheck100.dll
    • run1132.exe
    • winlog0n.exe

      • It can hook system and application startup by installing the following registry key(s):

      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ ShellExecuteHooks\{CLASSID}
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLASSID}

      {ClassID} may vary in different variants.

      In some variants, the system hosts file may be deleted. This system hosts file is typically installed in the default folder:

      • %Windir%\System32\drivers\etc\hosts


Symptoms

Symptoms -

  • Presence of the mentioned file(s) and registry key(s).
  • Outgoing network connections to the mentioned domain(s).

 

Method of Infection

Method of Infection -

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans such as the W32/HLLP.Philis family of file infector worms.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

 

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

    N/A