You have been re-routed to the PWS:Win32/Dozmot.D write up because PWS%3aWin32%2fDozmot.D has been renamed to PWS:Win32/Dozmot.D


PWS:Win32/Dozmot.D is a password stealer for various online games, for example, "Perfect World". It collects information on the user's account and password, and sends the data to a remote server.

What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
For more information on antivirus software, see

Threat behavior

PWS:Win32/Dozmot.D is a password stealer for the online game "Perfect World". It collects information on the user's account and password, and sends the data to a remote server.
PWS:Win32/Dozmot.D may be downloaded by other malware. In the wild, this trojan has been distributed from sites such as the following:
The trojan was also observed to be hosted as various file names such as the following:
Once downloaded and executed, the trojan may drop and install a DLL component into the Temporary files folder as in the following examples:
Steals online game information
By modifying the game process memory, PWS:Win32/Dozmot.D attempts to steal the following information from currently-running online game processes:
  • User name
  • Password
  • Server address
  • Character information
This information is then collected and sent to a remote server.
In the wild, PWS:Win32/Dozmot.D has been observed to steal information from the game "Perfect World". However, other Dozmot.D samples may target other games.
Terminates processes
PWS:Win32/Dozmot.D attempts to terminate the game process to force the user to re-login.
Analysis by Chun Feng


There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Alert level: Severe
First detected by definition: 1.81.1685.0
Latest detected by definition: 1.203.984.0 and higher
First detected on: May 14, 2010
This entry was first published on: Sep 16, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32/OnlineGames.CL.gen!Eldorado (Command)
  • Trojan-GameThief.Win32.OnLineGames.bnkb (Kaspersky)
  • W32/Magania.GZ (Norman)
  • Trojan.PWS.Magania.ALGW (VirusBuster)
  • Trojan horse PSW.OnlineGames3.ATCA (AVG)
  • TR/PSW.OnlineGames.bnkb.71 (Avira)
  • Trojan.Generic.4628555 (BitDefender)
  • Win32/Onlinegames!generic (CA)
  • Trojan.PWS.Gamania.27856 (Dr.Web)
  • Win32/PSW.WOW.NQS (ESET)
  • Trojan-GameThief.Win32.WOW (Ikarus)
  • PWS-Mmorpg!px (McAfee)
  • Trj/Lineage.LNC (Panda)
  • Trojan.Win32.FakeKsUsr.a (Rising AV)
  • Trojan.Win32.Generic!BT (Sunbelt Software)
  • Infostealer.Onlinegame (Symantec)