Follow:

You have been re-routed to the PWS:Win32/Dozmot.D write up because PWS%3aWin32%2fDozmot.D has been renamed to PWS:Win32/Dozmot.D
 

PWS:Win32/Dozmot.D


PWS:Win32/Dozmot.D is a password stealer for various online games, for example, "Perfect World". It collects information on the user's account and password, and sends the data to a remote server.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

PWS:Win32/Dozmot.D is a password stealer for the online game "Perfect World". It collects information on the user's account and password, and sends the data to a remote server.
Installation
PWS:Win32/Dozmot.D may be downloaded by other malware. In the wild, this trojan has been distributed from sites such as the following:
 
stt.dsdwwewe.com
cc.028pm.cn:9999
up.cj-vv.cn:889
xinu708.3322.org:89
qqhx7777sf.com
 
The trojan was also observed to be hosted as various file names such as the following:
 
ok8.exe
xx8.exe
zx2.exe
6.exe
 
Once downloaded and executed, the trojan may drop and install a DLL component into the Temporary files folder as in the following examples:
 
%temp%\gg.dll
%temp%\mz.dll
Payload
Steals online game information
By modifying the game process memory, PWS:Win32/Dozmot.D attempts to steal the following information from currently-running online game processes:
 
  • User name
  • Password
  • Server address
  • Character information
 
This information is then collected and sent to a remote server.
 
In the wild, PWS:Win32/Dozmot.D has been observed to steal information from the game "Perfect World". However, other Dozmot.D samples may target other games.
 
Terminates processes
PWS:Win32/Dozmot.D attempts to terminate the game process to force the user to re-login.
 
Analysis by Chun Feng

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.81.1685.0
Latest detected by definition: 1.185.2106.0 and higher
First detected on: May 14, 2010
This entry was first published on: Sep 16, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32/OnlineGames.CL.gen!Eldorado (Command)
  • Trojan-GameThief.Win32.OnLineGames.bnkb (Kaspersky)
  • W32/Magania.GZ (Norman)
  • Trojan.PWS.Magania.ALGW (VirusBuster)
  • Trojan horse PSW.OnlineGames3.ATCA (AVG)
  • TR/PSW.OnlineGames.bnkb.71 (Avira)
  • Trojan.Generic.4628555 (BitDefender)
  • Win32/Onlinegames!generic (CA)
  • Trojan.PWS.Gamania.27856 (Dr.Web)
  • Win32/PSW.WOW.NQS (ESET)
  • Trojan-GameThief.Win32.WOW (Ikarus)
  • PWS-Mmorpg!px (McAfee)
  • Trj/Lineage.LNC (Panda)
  • Trojan.Win32.FakeKsUsr.a (Rising AV)
  • Trojan.Win32.Generic!BT (Sunbelt Software)
  • Infostealer.Onlinegame (Symantec)