PWS-OnlineGames.y.dll

As this detection covers many variants, the characteristics of this trojan with regards to the file names, registry keys, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

This trojan drops the following copy of itself:

• %Windows%\Help\B41346EFA848.exe

It drops the following files/components:

• %Current%\2.bat - non-malicious file
• %Windows%\1.bat - non-malicious file
• %Windows%\Help\B41346EFA848.dll

(Where %Windows% is the Windows directory e.g C:\Windows or C:\WINNT. %Current% is the folder where this trojan is located.)

The dropped .DLL is injected into running processes to stay memory resident. This file is also responsible for this trojan's information stealing capability.

This trojan creates the following registry entry to enable its automatic execution at every system startup:

• HKEY_CLASSES_ROOT\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32 (Default) = "%Windows%\help\B41346EFA848.dll"

This trojan steals sensitive information, such as user names and passwords, related to the following games:

• Maple Story
• MSN Games
• World of Warcraft

It sends gathered information to a predetermined email address using its own Simple Mail Transfer Protocol (SMTP) engine.

It sends gathered information to a remote user using HTTP post.

It also steals sensitive information related to the following application:

• YahooBuddyMain
• YLoginWnd

This trojan also connects to the following URLs to send and receive information:

http: //www.[removed].com/mail/upfile.asp
http: //www.[removed].com/abc/upfile.asp
http: //www.[removed].com/67426/upfilesg.asp
 

• Presence of previously mentioned files and registry keys/values.
• Presence of network connection to previously mentioned URL.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

• Insert the Windows XP CD into the CD-ROM drive and restart the computer.
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
• Select the Windows installation that is compromised and provide the administrator password.
• Issue 'fixmbr' command to restore the Master Boot Record
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

• Insert the Windows CD into the CD-ROM drive and restart the computer.
• Click on "Repair Your Computer".
• When the System Recovery Options dialog comes up, choose the Command Prompt.
• Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.