McAfee > Theat Center > Virus Detail Page

Overview

This description is for a password stealing and keylogging Trojan which attempts to steal system information and user information for certain online games.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Gh0stRat

• GhostRat

Characteristics

As this detection covers many variants, the characteristics of this Trojan Password Stealer with regards to the file names, registry keys, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Depending on the variant, it may create any of the following autostart registry entries:

• HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\[Random Service]\Parameters\

Servicedll = "[Dll Path And Filename]"

Note: The Random Service may be taken from the following registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
• HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{Random CLSID}\Inprocserver32\

(default) = "[DLL path and filename]"

This Trojan performs system hooking and logs for keyboard strokes and mouse clicks. The gather data can be then saved to a log file.

This Trojan can also retrieve system information such as processor used and speed, Operating System used and user's information.

This Trojan drops component SYS file detected as PWS-OnlineGames.dt.sys that will try to reset all SSDT function hooks including drivers used by Antivirus Software for monitoring and protecting functions. This way Antivirus Software may run improperly.

The Trojan has the capabilities to accept the following commands from remote user:

• create remote CMD shell
• download other files
• enumerate all running processes
• terminates processes
• remove itself 
• restart system
• clears Event Logs (Application, Security and System)

Symptoms

• Presence of files and registry entries mentioned earlier
• Software based firewall, if any installed on the machine, might alert about an unknown program attempting to connect to the internet

Method of Infection

This password stealer may spread by copying itself to removable devices, along with an Autorun.inf.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the Autorun.inf file could cause automatic execution of the worm.

The malware can also spread manually, under the premise that the executable is something beneficial. It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

N/A

All Information

Overview -

This description is for a password stealing and keylogging Trojan which attempts to steal system information and user information for certain online games.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Gh0stRat

• GhostRat

Characteristics

Characteristics -

As this detection covers many variants, the characteristics of this Trojan Password Stealer with regards to the file names, registry keys, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Depending on the variant, it may create any of the following autostart registry entries:

• HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\[Random Service]\Parameters\

Servicedll = "[Dll Path And Filename]"

Note: The Random Service may be taken from the following registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
• HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{Random CLSID}\Inprocserver32\

(default) = "[DLL path and filename]"

This Trojan performs system hooking and logs for keyboard strokes and mouse clicks. The gather data can be then saved to a log file.

This Trojan can also retrieve system information such as processor used and speed, Operating System used and user's information.

This Trojan drops component SYS file detected as PWS-OnlineGames.dt.sys that will try to reset all SSDT function hooks including drivers used by Antivirus Software for monitoring and protecting functions. This way Antivirus Software may run improperly.

The Trojan has the capabilities to accept the following commands from remote user:

• create remote CMD shell
• download other files
• enumerate all running processes
• terminates processes
• remove itself 
• restart system
• clears Event Logs (Application, Security and System)

Symptoms

Symptoms -

• Presence of files and registry entries mentioned earlier
• Software based firewall, if any installed on the machine, might alert about an unknown program attempting to connect to the internet

Method of Infection

Method of Infection -

This password stealer may spread by copying itself to removable devices, along with an Autorun.inf.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the Autorun.inf file could cause automatic execution of the worm.

The malware can also spread manually, under the premise that the executable is something beneficial. It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

N/A