McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

PWS-Lineage!c75148f7

This page shows details and results of our analysis on the malware PWS-Lineage!c75148f7

Threat Detail

Malware Type: Trojan

Malware Sub-type: Password Stealer

Discovery Date: 2007-05-07

Next Steps:

Overview

This is a variant of password-stealing PWS-Lineage trojan that monitors Internet Explorer for passwords submitted to Asian websites for the on-line game, "Lineage". A generic description of this family is available at:

 


Minimum DAT

5026 (2007-05-08)

Updated DAT

5026 (2007-05-08)

 Minimum Engine

5.1.00

File Length

95,278 bytes (EXE), 108,544 bytes (DLL)

 Description Added

2007-05-07

Description Modified

2007-05-07

Malware Proliferation

Characteristics

This is a variant of password-stealing PWS-Lineage trojan that monitors Internet Explorer for passwords submitted to Asian websites for the on-line game, "Lineage".

  • Filename(s): han.exe, %Windir%\System32\explorer.exe
  • Size: 95,278 bytes
  • MD5 hash: 36e920818ff476096e3488d0933a28d4

(Where %Windir% is the Windows folder, e.g. C:\Windows. A legitimate copy of explorer.exe typically resides in %Windir%\explorer.exe and is part of the Windows operating system)

It follows that a DLL component detected as PWS-Lineage.dll is dropped, then injected and executed in the process space of Windows Explorer (Explorer.exe).

  • Filename: %Windir%\System32\dab1.dll
  • Size: 108,544 bytes
  • MD5 hash: bf08a591daeb1e5d93cdd007fdfcc7d9

When Internet Explorer is launched, the DLL component hooks to its running process and logs the user's ID and password as they are communicated to the following Lineage-related websites:

  • httpx://cs.li{blocked}ge.co.kr/account/losePassword/losePasswordCheck.asp
  • httpx://cs.li{blocked}ge.co.kr/account/forgetPassword/forgetPasswordForm.asp
  • httpx://cs.li{blocked}ge.co.kr/account/losePassword/losePasswordForm.asp
  • httpx://cs.li{blocked}ge.co.kr/account/forgetPassword/forgetPasswordSub.asp
  • httpx://event.li{blocked}ge.com.tw/AccountCenter/changegamepwd.asp
  • http://{blocked}.1000y.com.cn/1000y/1000YService/PassSearch.asp

Stolen information are stored in %SystemDrive%\logo.dat and sent back to the malware author via e-mail.

(Where %SystemDrive% is the disk drive where Windows is installed, e.g. C:)

Other generic characteristics of PWS-Lineage is available at:

Symptoms

1. Presence of the files mentioned.

2. Presence or modification of the following registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" =  "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\explorer.exe,"

(Where C:\WINDOWS\System32\explorer.exe contains PWS-Lineage trojan)

 

Method of Infection

Trojans spread manually under the premise that the executable is something beneficial where distribution channels include web exploits, IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

United States - English