PWS:Win32/Dozmot.D is a password stealer for the online game "Perfect World". It collects information on the user's account and password, and sends the data to a remote server.
PWS:Win32/Dozmot.D may be downloaded by other malware. In the wild, this trojan has been distributed from sites such as the following:
The trojan was also observed to be hosted as various file names such as the following:
Once downloaded and executed, the trojan may drop and install a DLL component into the Temporary files folder as in the following examples:
Steals online game information
By modifying the game process memory, PWS:Win32/Dozmot.D attempts to steal the following information from currently-running online game processes:
This information is then collected and sent to a remote server.
In the wild, PWS:Win32/Dozmot.D has been observed to steal information from the game "Perfect World". However, other Dozmot.D samples may target other games.
PWS:Win32/Dozmot.D attempts to terminate the game process to force the user to re-login.
Analysis by Chun Feng