Content

PWS-Mmorpg.gen

Type
Trojan
SubType
Generic
Discovery Date
05/07/2007
Length
varies
Minimum DAT
5025 (05/07/2007)
Updated DAT
5291 (05/08/2008)
Minimum Engine
5.1.00
Description Added
05/07/2007
Description Modified
11/16/2007 9:49 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update November 15, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.net-security.org/malware_news.php?id=880

PWS-Mmorpg is a trojan written in Borland Delphi, that attempts to steal passwords information for popular online MMORPG games. It also contains functionality to post this information to a remote website.

When executed, it drops the following files in all available drives, including removable and floppy drives:

.\Shell.exe     --> copy of the trojan
.\autorun.inf  --> detected as W32/USBAgent!inf
%WINDIR%\Help\ACDF4F3D0FD.exe --> copy of the trojan
%WINDIR%\Help\ACDF4F3D0FD.dll  --> detected as PWS-Mmorpg.gen

Note: The file attributes for the above mentioned files are set to Hidden and System.

Creates the following mutex to ensure on one instance of the trojan is active on the infected system.

  • MeVFSExt

Ensures the trojan is executed when a drive is opened in Explorer by creating an autorun.inf file in the root of every drive.
The autorun.inf is configured to launch the trojan file via the following command syntax.

[autorun]
shell\1=Open
shell\1\Command=shell.exe -s

Symptoms

The trojan registers its DLL component by adding the registry keys:

HKEY_Classes_Root\CLSID\{F4030DE0-970A-4130-B155-FB8D19A038AA}\InProcServeDr32
%WINDIR%\Help\ACDF4F3D0FD.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
{AEB6717E-7E19-11d0-97EE-00C04FD91972}) 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
{F4030DE0-970A-4130-B155-FB8D19A038AA}) 

Injects its DLL component into running processes and monitors visit to the following online gaming portals.

  • http://member.ran.com.tw/gamesite/event/ran_card/unlock.aspx
  • http://tw.login.yahoo.com/cgi-bin/login.cgi?srv=club
  • http://www.ran.com.tw/gamesite/card.htm
  • https://member.ran.com.tw/gamesite/event/20061012_god/application_login.aspx
  • https://signup.wowtaiwan.com.tw/09Accountmgmt/login.asp
  • https://signup.wowtaiwan.com.tw/09Accountmgmt/ManageAccount/changepassword.asp
  • https://signup.wowtaiwan.com.tw/09Accountmgmt/PrepaidCardsAndCDKey/login.asp
  • https://tw.event.gamania.com/lineageevent/e20050502/index.asp
  • https://tw.event.gamania.com/lineageevent/e20050502/search.asp
  • https://tw.gash.gamania.com/GASHLogin.aspx
  • https://tw.gash.gamania.com/UpdateMainAccountPassword.aspx
  • https://tw.gash.gamania.com/UpdateServiceAccountPassword.aspx?ServiceCode=600035
  • https://tw.goodlock.gamania.com
  • https://tw.goodlock.gamania.com/ShowNew.aspx

Logs usernames and password information for the above mentioned sites and posts it to a remote website controlled by the attacker.

Method of Infection

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or trojans to be installed on the user's system.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update November 15, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.net-security.org/malware_news.php?id=880

PWS-Mmorpg is a trojan written in Borland Delphi, that attempts to steal passwords information for popular online MMORPG games. It also contains functionality to post this information to a remote website.

Aliases

  • TR/PSW.OnLineGames.DR (Avira)
  • Trojan-PSW.Win32.OnLineGames.dr (Kaspersky)
  • Trojan.OnLineGames-5 (Clam AV)
  • Trojan.Pws.Onlinegames.DR (BitDefender)

Characteristics

Characteristics -

-- Update November 15, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.net-security.org/malware_news.php?id=880

PWS-Mmorpg is a trojan written in Borland Delphi, that attempts to steal passwords information for popular online MMORPG games. It also contains functionality to post this information to a remote website.

When executed, it drops the following files in all available drives, including removable and floppy drives:

.\Shell.exe     --> copy of the trojan
.\autorun.inf  --> detected as W32/USBAgent!inf
%WINDIR%\Help\ACDF4F3D0FD.exe --> copy of the trojan
%WINDIR%\Help\ACDF4F3D0FD.dll  --> detected as PWS-Mmorpg.gen

Note: The file attributes for the above mentioned files are set to Hidden and System.

Creates the following mutex to ensure on one instance of the trojan is active on the infected system.

  • MeVFSExt

Ensures the trojan is executed when a drive is opened in Explorer by creating an autorun.inf file in the root of every drive.
The autorun.inf is configured to launch the trojan file via the following command syntax.

[autorun]
shell\1=Open
shell\1\Command=shell.exe -s

Symptoms

Symptoms -

The trojan registers its DLL component by adding the registry keys:

HKEY_Classes_Root\CLSID\{F4030DE0-970A-4130-B155-FB8D19A038AA}\InProcServeDr32
%WINDIR%\Help\ACDF4F3D0FD.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
{AEB6717E-7E19-11d0-97EE-00C04FD91972}) 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
{F4030DE0-970A-4130-B155-FB8D19A038AA}) 

Injects its DLL component into running processes and monitors visit to the following online gaming portals.

  • http://member.ran.com.tw/gamesite/event/ran_card/unlock.aspx
  • http://tw.login.yahoo.com/cgi-bin/login.cgi?srv=club
  • http://www.ran.com.tw/gamesite/card.htm
  • https://member.ran.com.tw/gamesite/event/20061012_god/application_login.aspx
  • https://signup.wowtaiwan.com.tw/09Accountmgmt/login.asp
  • https://signup.wowtaiwan.com.tw/09Accountmgmt/ManageAccount/changepassword.asp
  • https://signup.wowtaiwan.com.tw/09Accountmgmt/PrepaidCardsAndCDKey/login.asp
  • https://tw.event.gamania.com/lineageevent/e20050502/index.asp
  • https://tw.event.gamania.com/lineageevent/e20050502/search.asp
  • https://tw.gash.gamania.com/GASHLogin.aspx
  • https://tw.gash.gamania.com/UpdateMainAccountPassword.aspx
  • https://tw.gash.gamania.com/UpdateServiceAccountPassword.aspx?ServiceCode=600035
  • https://tw.goodlock.gamania.com
  • https://tw.goodlock.gamania.com/ShowNew.aspx

Logs usernames and password information for the above mentioned sites and posts it to a remote website controlled by the attacker.

Method of Infection

Method of Infection -

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or trojans to be installed on the user's system.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A