Content

PWS-OnlineGames!66A1DE20

Type
Trojan
SubType
Password
Discovery Date
08/08/2007
Length
705,315
Minimum DAT
5092 (08/07/2007)
Updated DAT
5092 (08/07/2007)
Minimum Engine
5.1.00
Description Added
08/08/2007
Description Modified
08/08/2007 8:54 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

PWS-OnlineGames!66A1DE20 has the following attributes:

File size: 705,315 bytes
MD5: 5021E4DCEAC8AA79E3A1FAFA41489A3B6 
CRC32: 66A1DE20

Upon execution, the trojan drops the following dl files:

  • C:\Program Files\Common Files\Relive.dll (14,895 bytes)
  • C:\Program Files\Common Files\msvcrt.dll (14,895 bytes)

It adds the following registry keys:

  • HKEY_CLASSES_ROOT\CLSID\{6C7596CB-C1CC-6BA3-BE52-8EEA62F9C61D}\InProcServer32
     "(Default)" = C:\Program Files\Common Files\Relive.dll
    "ThreadingModel" = Apartment
  • HKEY_CLASSES_ROOT\CLSID\{A1626E66-B26B-C628-A1DF-BDACCFA26EE1}\InProcServer32
     "(Default)" = C:\Program Files\Common Files\Relive.dll
    "ThreadingModel" = Apartment
  • HKEY_CLASSES_ROOT\CLSID\0CCE6E12-C2EC-56CD+1A62-AE3FD6EF56E6}\InProcServer32
    "(Default)" = C:\Program Files\Common Files\msvcrt.dll
    "ThreadingModel" = Apartment
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A1626E66-B26B-C628-A1DF-BDACCFA26EE1} "(Default)"
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "0CCE6E12-C2EC-56CD+1A62-AE3FD6EF56E6}"
  • HKEY_CURRENT_USER\Software\SoftCoolVer\


The trojan deletes the following registry keys:

  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  • {B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}
  • {131AB311-16F1-F13B-1E43-11A24B51AFD1}
  • {274B93C2-A6DF-485F-8576-AB0653134A76}
  • {1496D5ED-7A09-46D0-8C92-B8E71A4304DF}
  • {0CB68AD9-FF66-3E63-636B-B693E62F6236}
  • {09B68AD9-FF66-3E63-636B-B693E62F6236}
  • {754FB7D8-B8FE-4810-B363-A788CD060F1F}
  • {A6011F8F-A7F8-49AA-9ADA-49127D43138F}
  • {06A68AD9-FF56-6E73-937B-B893E72F6226}
  • {01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}
  • {06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}
  • {BC0ACA58-6A6F-51DA-9EFE-9D20F4F621BA}
  • {AEB6717E-7E19-11d0-97EE-00C04FD91972}
  • {99F1D023-7CEB-4586-80F7-BB1A98DB7602}
  • {FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}
  • {923509F1-45CB-4EC0-BDE0-1DED35B8FD60}
  • {42A612A4-4334-4424-4234-42261A31A236}
  • {DE35052A-9E37-4827-A1EC-79BF400D27A4}
  • {DD7D4640-4464-48C0-82FD-21338366D2D2}


The trojan attempts to download the following files from the remote site http://9-6.in[removed].
These files are password-stealing trojans, typically from the PWS-OnlineGames family.

  • smss.exe
  • csrss.exe
  • svchost32.exe
  • svchost.exe
  • conime.exe
  • ctfmon.exe
  • mmc.exe
  • services.exe
  • IEXPLORE.EXE
  • stpglbk.exe
  • srogm.exe
  • spglsdr.exe
  • copypfh.exe
  • okfile.exe

It deletes the following files:

  • fyso.exe
  • jtso.exe
  • mhso.exe
  • wdso.exe
  • wgso.exe
  • wlso.exe
  • wmso.exe
  • woso.exe
  • ztso.exe
  • daso.exe
  • tlso.exe
  • rxso.exe
  • fyso6.dll
  • jtso6.dll
  • mhso6.dll
  • qjso6.dll
  • wdso6.dll
  • wgso6.dll
  • wlso6.dll
  • wmso6.dll
  • woso6.dll
  • ztso6.dll
  • tlso6.dll
  • daso6.dll
  • rxso6.dll
  • %SystemDir%\drivers\etc\hosts

Symptoms

  • Existence of mentioned files and registry keys

Method of Infection

  • It may spreads to removable drives by creating an Autorun.inf file.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a description of a specific sample variant of PWS-OnlineGames.a and is detected under the unqualified name.

Aliases

  • PSW.Generic5.BNI (GRISoft)
  • Trojan.PWS.Gamania.3225 (Doctor Web)
  • TSPY_ONLINEG.DRW (Trend Micro)
  • W32.Drom (Symantec)
  • W32/AutoRun.FX (Norman)

Characteristics

Characteristics -

PWS-OnlineGames!66A1DE20 has the following attributes:

File size: 705,315 bytes
MD5: 5021E4DCEAC8AA79E3A1FAFA41489A3B6 
CRC32: 66A1DE20

Upon execution, the trojan drops the following dl files:

  • C:\Program Files\Common Files\Relive.dll (14,895 bytes)
  • C:\Program Files\Common Files\msvcrt.dll (14,895 bytes)

It adds the following registry keys:

  • HKEY_CLASSES_ROOT\CLSID\{6C7596CB-C1CC-6BA3-BE52-8EEA62F9C61D}\InProcServer32
     "(Default)" = C:\Program Files\Common Files\Relive.dll
    "ThreadingModel" = Apartment
  • HKEY_CLASSES_ROOT\CLSID\{A1626E66-B26B-C628-A1DF-BDACCFA26EE1}\InProcServer32
     "(Default)" = C:\Program Files\Common Files\Relive.dll
    "ThreadingModel" = Apartment
  • HKEY_CLASSES_ROOT\CLSID\0CCE6E12-C2EC-56CD+1A62-AE3FD6EF56E6}\InProcServer32
    "(Default)" = C:\Program Files\Common Files\msvcrt.dll
    "ThreadingModel" = Apartment
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A1626E66-B26B-C628-A1DF-BDACCFA26EE1} "(Default)"
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "0CCE6E12-C2EC-56CD+1A62-AE3FD6EF56E6}"
  • HKEY_CURRENT_USER\Software\SoftCoolVer\


The trojan deletes the following registry keys:

  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  • {B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}
  • {131AB311-16F1-F13B-1E43-11A24B51AFD1}
  • {274B93C2-A6DF-485F-8576-AB0653134A76}
  • {1496D5ED-7A09-46D0-8C92-B8E71A4304DF}
  • {0CB68AD9-FF66-3E63-636B-B693E62F6236}
  • {09B68AD9-FF66-3E63-636B-B693E62F6236}
  • {754FB7D8-B8FE-4810-B363-A788CD060F1F}
  • {A6011F8F-A7F8-49AA-9ADA-49127D43138F}
  • {06A68AD9-FF56-6E73-937B-B893E72F6226}
  • {01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}
  • {06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}
  • {BC0ACA58-6A6F-51DA-9EFE-9D20F4F621BA}
  • {AEB6717E-7E19-11d0-97EE-00C04FD91972}
  • {99F1D023-7CEB-4586-80F7-BB1A98DB7602}
  • {FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}
  • {923509F1-45CB-4EC0-BDE0-1DED35B8FD60}
  • {42A612A4-4334-4424-4234-42261A31A236}
  • {DE35052A-9E37-4827-A1EC-79BF400D27A4}
  • {DD7D4640-4464-48C0-82FD-21338366D2D2}


The trojan attempts to download the following files from the remote site http://9-6.in[removed].
These files are password-stealing trojans, typically from the PWS-OnlineGames family.

  • smss.exe
  • csrss.exe
  • svchost32.exe
  • svchost.exe
  • conime.exe
  • ctfmon.exe
  • mmc.exe
  • services.exe
  • IEXPLORE.EXE
  • stpglbk.exe
  • srogm.exe
  • spglsdr.exe
  • copypfh.exe
  • okfile.exe

It deletes the following files:

  • fyso.exe
  • jtso.exe
  • mhso.exe
  • wdso.exe
  • wgso.exe
  • wlso.exe
  • wmso.exe
  • woso.exe
  • ztso.exe
  • daso.exe
  • tlso.exe
  • rxso.exe
  • fyso6.dll
  • jtso6.dll
  • mhso6.dll
  • qjso6.dll
  • wdso6.dll
  • wgso6.dll
  • wlso6.dll
  • wmso6.dll
  • woso6.dll
  • ztso6.dll
  • tlso6.dll
  • daso6.dll
  • rxso6.dll
  • %SystemDir%\drivers\etc\hosts

Symptoms

Symptoms -

  • Existence of mentioned files and registry keys

Method of Infection

Method of Infection -

  • It may spreads to removable drives by creating an Autorun.inf file.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A