Follow:

 

PWS:Win32/OnLineGames.BX


PWS:Win32/OnLineGames.BX is a detection for a trojan that steals account information for certain online games and instant messaging applications. It logs the stolen account information by intercepting network traffic and monitoring specific APIs. It then sends the stolen information to a remote server.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
 
PWS:Win32/OnLineGames.BX  attempts to steal sensitive and confidential information from affecters users in order to perpetrate fraud. If you believe that your personal information may have been compromised, please refer to the following advisory for additional advice:

Threat behavior

PWS:Win32/OnLineGames.BX is a detection for a trojan that steals account information for certain online games and instant messaging applications. It logs the stolen account information by intercepting network traffic and monitoring specific APIs. It then sends the stolen information to a remote server.
Installation
PWS:Win32/OnLineGames.BX may be dropped and installed by other malware, for example, PWS:Win32/OnLineGames.BX.dr.
Payload
Steals Account Information
PWS:Win32/OnLineGames.BX is loaded when applications try to use the Windows Socket functions. It attempts to intercept network connections, and receive, send, and close operations if the process name is any of the following:
 
AClient.exe
client.exe
ElementClient.exe
Game.bin
Game.exe
Lin.bin
MapleStory.exe
Ragexe.exe
RagFree.exe
Ragnarok.exe
ZodiacOnline.exe
 
Most of these processes are associated with online games.
 
PWS:Win32/OnLineGames.BX tries to intercept the 'CryptEncrypt' and 'CryptDecrypt' APIs and network connection operations if the process name is any of the following:
 
_BeanFunCore.exe
iexplore.exe
msnmsgr.exe
YahooMessenger.exe
 
Most of these processes are associated with instant messaging and other online applications.
 
It then filters the intercepted network traffic to log information, including the following:
 
  • Account name
  • Password
  • Login server
 
PWS:Win32/OnLineGames.BX then sends the logged information to a remote server. One remote server it has been observed to send information to is 'ccaatt.com'.
 
Analysis by Shawn Wang

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.51.360.0
Latest detected by definition: 1.177.74.0 and higher
First detected on: Feb 06, 2009
This entry was first published on: Oct 07, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan-GameThief.Win32.Magania.cfef (Kaspersky)
  • W32/OnLineGames.KWIF (Norman)
  • Trojan.PWS.Magania.VIE (VirusBuster)
  • Win32/PSW.OnLineGames.NTR (ESET)
  • Infostealer.Gampass (Symantec)