Content

PWS-OnlineGames.a

Type
Trojan
SubType
Password Stealer
Discovery Date
05/29/2007
Length
Varies
Minimum DAT
5041 (05/29/2007)
Updated DAT
6546 (11/30/2011)
Minimum Engine
5.3.00
Description Added
05/29/2007
Description Modified
09/02/2010 12:43 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

----- Updated September 3, 2010 -----

File Information:
  • MD5      - 23396C331547D1119207DD8C42E6BF8F
  • SHA      - 5665133BE2B816B5AC4F888AD7C5DA8D98BB3BC3

Aliases:
  • Kaspersky: Trojan-Dropper.Win32.Small.fwx
  • NOD32: a variant of Win32/PSW.OnLineGames.POY
  • Quick Heal: TrojanGameThief.Magania.dqav

Characteristics –

"PWS-OnlineGames.a" is a Trojan that steals online game accounts and passwords by monitoring the system.

Upon execution, the Trojan injects into explore.exe and connects to the site "baid[removed]r.com" through a remote port 80".

The Trojan copies itself into the following location:

  • %Temp%\dsoqq.exe

And drops the following files:
  • %Temp%\apiqq.exe [Found to be Tojan]
  • %Temp%\apiqq0.dll [Found to be Tojan]
  • %Temp%\dsoqq0.dll [ Detected as PWS-OnlineGames.a]

The following registry keys have been added to the system:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager

The following registry values have been added to the system:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN\]
    Urlinfo="dswwbmh.w"
  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    dso32="%Temp%\dsoqq.exe"
  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    api32="%Temp%\apiqq.exe"

The above mentioned registries confirm that the Trojan executes itself upon every boot.

It also attempts to kill security-related processes with the following filenames:

  • LIVESRV.EXE
  • VCRMON.EXE
  • Update.exe
  • CCSVCHST.EXE
  • ALUSCHEDULERSVC.EXE
  • luall.exe
  • ASHDISP.EXE
  • avast.setup
  • AVP.EXE
  • prupdate.ppl
  • AYAGENT.AYE
  • AYUpdate.aye
  • UFSEAGNT.EXE
  • SfFnUp.exe
  • UfUpdUi.exe
  • AVGNT.EXE
  • preupd.exe
  • update.exe
  • VSTSKMGR.EXE
  • vsupdate.dll
  • mcupdate.exe
  • AVGRSX.EXE
  • avgupd.exe
  • avgupd.exe
  • Nod32Kui.exe
  • FilMsg.exe
  • Twister.exe
  • RavMon.exe

[ Where %Temp% is the Temp Directory ]

Symptoms -

  • Presence of above mentioned files and registry keys
  • Presence unexpected network connection to the above mentioned IP Address.

                          -------------------------------

 

As there are several variants of this trojan, this is just a general guide on how the trojan infects systems.

When executed this trojan copies itself to the %SysDir% folder using random filenames.  Just some of the filenames it uses are listed below:

  • MOSOU.EXE
  • ROMDRIVERS.EXE
  • DASO.EXE
  • MHSO.EXE
  • RXSO.EXE
  • WDSO.EXE
  • WMSO.EXE
  • ZTSO.EXE
  • LOADER.EXE
  • JTSO0.EXE
  • AUTO.EXE
  • CONIME.EXE

The trojan drops a DLL component also into the %SysDir% folder.  Just some of the filenames used for the DLL component are listed below:

  • MOSOU.DLL
  • WMSO.DLL
  • WDSO0.DLL
  • JTSO0.DLL
  • RXSO0.DLL
  • VER32.DLL
  • RAVWM624.DLL

 

The DLL component is injected into several running processes on the victims system.  The DLL component harvests the names of gaming servers, players passwords, PIN number and other information for well known online games.  It does this by tracking users keystrokes and mouse clicks.  The trojan will send this harvested data to a remote site via HTTP.

The following registry key is modifed to ensure that the trojan is executed each time the victims system is rebooted.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run

The following processes may be terminated:

  • KREGEX.EXE
  • RUNIEP.EXE
  • AVP.EXE
  • KVXP.KXP

 

 

Symptoms

Presence of the following files in the %SysDir% folder:

  • MOSOU.EXE
  • ROMDRIVERS.EXE
  • DASO.EXE
  • MHSO.EXE
  • RXSO.EXE
  • WDSO.EXE
  • WMSO.EXE
  • ZTSO.EXE
  • LOADER.EXE
  • JTSO0.EXE
  • AUTO.EXE
  • CONIME.EXE
  • MOSOU.DLL
  • WMSO.DLL
  • WDSO0.DLL
  • JTSO0.DLL
  • RXSO0.DLL
  • VER32.DLL
  • RAVWM624.DLL

Method of Infection

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

PWS-OnlineGames.a is detection for a trojan that steals online game accounts, such as Lineage, LegMir, World of Warcraft and Rohan.

Characteristics

Characteristics -

----- Updated September 3, 2010 -----

File Information:
  • MD5      - 23396C331547D1119207DD8C42E6BF8F
  • SHA      - 5665133BE2B816B5AC4F888AD7C5DA8D98BB3BC3

Aliases:
  • Kaspersky: Trojan-Dropper.Win32.Small.fwx
  • NOD32: a variant of Win32/PSW.OnLineGames.POY
  • Quick Heal: TrojanGameThief.Magania.dqav

Characteristics –

"PWS-OnlineGames.a" is a Trojan that steals online game accounts and passwords by monitoring the system.

Upon execution, the Trojan injects into explore.exe and connects to the site "baid[removed]r.com" through a remote port 80".

The Trojan copies itself into the following location:

  • %Temp%\dsoqq.exe

And drops the following files:
  • %Temp%\apiqq.exe [Found to be Tojan]
  • %Temp%\apiqq0.dll [Found to be Tojan]
  • %Temp%\dsoqq0.dll [ Detected as PWS-OnlineGames.a]

The following registry keys have been added to the system:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager

The following registry values have been added to the system:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN\]
    Urlinfo="dswwbmh.w"
  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    dso32="%Temp%\dsoqq.exe"
  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    api32="%Temp%\apiqq.exe"

The above mentioned registries confirm that the Trojan executes itself upon every boot.

It also attempts to kill security-related processes with the following filenames:

  • LIVESRV.EXE
  • VCRMON.EXE
  • Update.exe
  • CCSVCHST.EXE
  • ALUSCHEDULERSVC.EXE
  • luall.exe
  • ASHDISP.EXE
  • avast.setup
  • AVP.EXE
  • prupdate.ppl
  • AYAGENT.AYE
  • AYUpdate.aye
  • UFSEAGNT.EXE
  • SfFnUp.exe
  • UfUpdUi.exe
  • AVGNT.EXE
  • preupd.exe
  • update.exe
  • VSTSKMGR.EXE
  • vsupdate.dll
  • mcupdate.exe
  • AVGRSX.EXE
  • avgupd.exe
  • avgupd.exe
  • Nod32Kui.exe
  • FilMsg.exe
  • Twister.exe
  • RavMon.exe

[ Where %Temp% is the Temp Directory ]

Symptoms -

  • Presence of above mentioned files and registry keys
  • Presence unexpected network connection to the above mentioned IP Address.

                          -------------------------------

 

As there are several variants of this trojan, this is just a general guide on how the trojan infects systems.

When executed this trojan copies itself to the %SysDir% folder using random filenames.  Just some of the filenames it uses are listed below:

  • MOSOU.EXE
  • ROMDRIVERS.EXE
  • DASO.EXE
  • MHSO.EXE
  • RXSO.EXE
  • WDSO.EXE
  • WMSO.EXE
  • ZTSO.EXE
  • LOADER.EXE
  • JTSO0.EXE
  • AUTO.EXE
  • CONIME.EXE

The trojan drops a DLL component also into the %SysDir% folder.  Just some of the filenames used for the DLL component are listed below:

  • MOSOU.DLL
  • WMSO.DLL
  • WDSO0.DLL
  • JTSO0.DLL
  • RXSO0.DLL
  • VER32.DLL
  • RAVWM624.DLL

 

The DLL component is injected into several running processes on the victims system.  The DLL component harvests the names of gaming servers, players passwords, PIN number and other information for well known online games.  It does this by tracking users keystrokes and mouse clicks.  The trojan will send this harvested data to a remote site via HTTP.

The following registry key is modifed to ensure that the trojan is executed each time the victims system is rebooted.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run

The following processes may be terminated:

  • KREGEX.EXE
  • RUNIEP.EXE
  • AVP.EXE
  • KVXP.KXP

 

 

Symptoms

Symptoms -

Presence of the following files in the %SysDir% folder:

  • MOSOU.EXE
  • ROMDRIVERS.EXE
  • DASO.EXE
  • MHSO.EXE
  • RXSO.EXE
  • WDSO.EXE
  • WMSO.EXE
  • ZTSO.EXE
  • LOADER.EXE
  • JTSO0.EXE
  • AUTO.EXE
  • CONIME.EXE
  • MOSOU.DLL
  • WMSO.DLL
  • WDSO0.DLL
  • JTSO0.DLL
  • RXSO0.DLL
  • VER32.DLL
  • RAVWM624.DLL

Method of Infection

Method of Infection -

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A