Content

PWS-OnlineGames.a

Type
Trojan
SubType
Password Stealer
Discovery Date
05/29/2007
Length
Varies
Minimum DAT
5041 (05/29/2007)
Updated DAT
5296 (05/15/2008)
Minimum Engine
5.1.00
Description Added
05/29/2007
Description Modified
07/13/2007 7:30 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

As there are several variants of this trojan, this is just a general guide on how the trojan infects systems.

When executed this trojan copies itself to the %SysDir% folder using random filenames.  Just some of the filenames it uses are listed below:

  • MOSOU.EXE
  • ROMDRIVERS.EXE
  • DASO.EXE
  • MHSO.EXE
  • RXSO.EXE
  • WDSO.EXE
  • WMSO.EXE
  • ZTSO.EXE
  • LOADER.EXE
  • JTSO0.EXE
  • AUTO.EXE
  • CONIME.EXE

The trojan drops a DLL component also into the %SysDir% folder.  Just some of the filenames used for the DLL component are listed below:

  • MOSOU.DLL
  • WMSO.DLL
  • WDSO0.DLL
  • JTSO0.DLL
  • RXSO0.DLL
  • VER32.DLL
  • RAVWM624.DLL

 

The DLL component is injected into several running processes on the victims system.  The DLL component harvests the names of gaming servers, players passwords, PIN number and other information for well known online games.  It does this by tracking users keystrokes and mouse clicks.  The trojan will send this harvested data to a remote site via HTTP.

The following registry key is modifed to ensure that the trojan is executed each time the victims system is rebooted.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run

The following processes may be terminated:

  • KREGEX.EXE
  • RUNIEP.EXE
  • AVP.EXE
  • KVXP.KXP

 

 

Symptoms

Presence of the following files in the %SysDir% folder:

  • MOSOU.EXE
  • ROMDRIVERS.EXE
  • DASO.EXE
  • MHSO.EXE
  • RXSO.EXE
  • WDSO.EXE
  • WMSO.EXE
  • ZTSO.EXE
  • LOADER.EXE
  • JTSO0.EXE
  • AUTO.EXE
  • CONIME.EXE
  • MOSOU.DLL
  • WMSO.DLL
  • WDSO0.DLL
  • JTSO0.DLL
  • RXSO0.DLL
  • VER32.DLL
  • RAVWM624.DLL

Method of Infection

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

PWS-OnlineGames.a is detection for a trojan that steals online game accounts, such as Lineage, LegMir, World of Warcraft and Rohan.

Characteristics

Characteristics -

As there are several variants of this trojan, this is just a general guide on how the trojan infects systems.

When executed this trojan copies itself to the %SysDir% folder using random filenames.  Just some of the filenames it uses are listed below:

  • MOSOU.EXE
  • ROMDRIVERS.EXE
  • DASO.EXE
  • MHSO.EXE
  • RXSO.EXE
  • WDSO.EXE
  • WMSO.EXE
  • ZTSO.EXE
  • LOADER.EXE
  • JTSO0.EXE
  • AUTO.EXE
  • CONIME.EXE

The trojan drops a DLL component also into the %SysDir% folder.  Just some of the filenames used for the DLL component are listed below:

  • MOSOU.DLL
  • WMSO.DLL
  • WDSO0.DLL
  • JTSO0.DLL
  • RXSO0.DLL
  • VER32.DLL
  • RAVWM624.DLL

 

The DLL component is injected into several running processes on the victims system.  The DLL component harvests the names of gaming servers, players passwords, PIN number and other information for well known online games.  It does this by tracking users keystrokes and mouse clicks.  The trojan will send this harvested data to a remote site via HTTP.

The following registry key is modifed to ensure that the trojan is executed each time the victims system is rebooted.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run

The following processes may be terminated:

  • KREGEX.EXE
  • RUNIEP.EXE
  • AVP.EXE
  • KVXP.KXP

 

 

Symptoms

Symptoms -

Presence of the following files in the %SysDir% folder:

  • MOSOU.EXE
  • ROMDRIVERS.EXE
  • DASO.EXE
  • MHSO.EXE
  • RXSO.EXE
  • WDSO.EXE
  • WMSO.EXE
  • ZTSO.EXE
  • LOADER.EXE
  • JTSO0.EXE
  • AUTO.EXE
  • CONIME.EXE
  • MOSOU.DLL
  • WMSO.DLL
  • WDSO0.DLL
  • JTSO0.DLL
  • RXSO0.DLL
  • VER32.DLL
  • RAVWM624.DLL

Method of Infection

Method of Infection -

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A