Follow:

You have been re-routed to the PWS:Win32/OnLineGames.AH write up because PWS%3aWin32%2fOnLineGames.AH has been renamed to PWS:Win32/OnLineGames.AH
 

PWS:Win32/OnLineGames.AH


Microsoft security software detects and removes this threat. 

This threat can steal your online game credentials when you visit certain websites.

It can be installed on your PC by TrojanDropper:WinNT/Enterok.A.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Change your passwords

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat can be installed by other malware.

It makes the following changes to the registry as part of its installation process:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InProcServer32
Sets value: (default)
With data: "<malware path and file name>"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
Sets value: (default)
With data: "0"

It is installed as a Browser Helper Object (BHO) by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
Sets value: (default)
With data: (value not set)

Payload

Steals online game credentials

This threat can monitor, and attempt to steal, the credentials you type into the following websites:

  • aran.kr.gameclub.com
  • auth.siren24.com
  • baram.nexon.com
  • bns.plaync.com
  • booknlife.com
  • capogames.net
  • cultureland.co.kr
  • df.nexon.com
  • dk.halgame.com
  • elsword.nexon.com
  • hangame.com
  • happymoney.co.kr
  • heroes.nexon.com
  • id.hangame.com
  • itembay.com
  • itemmania.com
  • kr.battle.net
  • lcs.mezzo.hangame.com
  • login.nexon.com
  • netmarble.net
  • nexon.com
  • nxpay.nexon.com
  • pmang.com
  • poker.hangame.com
  • teencash.co.kr

Contacts remote hosts

The malware can connect to the following remote hosts to download additional settings and components, or upload its stolen information:

  • angel.frovez<removed>/cs0719
  • lullaby.dovzle<removed>/cs0719

Analysis by Alden Pornasdoro


Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
     
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InProcServer32
    Sets value: (default)
    With data: "<malware path and file name>"
     
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
    Sets value: (default)
    With data: "0"
     
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
    Sets value: (default)
    With data: (value not set)

Prevention


Alert level: Severe
First detected by definition: 1.47.667.0
Latest detected by definition: 1.203.984.0 and higher
First detected on: Nov 22, 2008
This entry was first published on: Nov 22, 2008
This entry was updated on: Jun 03, 2015

This threat is also detected as:
No known aliases