Follow:

You have been re-routed to the PWS:Win32/OnLineGames.AH write up because PWS%3aWin32%2fOnLineGames.AH has been renamed to PWS:Win32/OnLineGames.AH
 

PWS:Win32/OnLineGames.AH


PWS:Win32/OnLineGames.AH is a trojan that steals your online game credentials when you visit certain websites.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

The malware may steal your information by recording your usernames and passwords. After removal of the threat you should change your passwords. Please refer to the following advisory for tips on how to create and use passwords:

Threat behavior

Installation

PWS:Win32/OnLineGames.AH may be installed by other malware, and makes the following changes to the registry as part of its installation process:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InProcServer32
Sets value: (default)
With data: "<malware path and file name> "

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
Sets value: (default)
With data: "0"

It is installed as a Browser Helper Object (BHO) by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
Sets value: (default)
With data: (value not set)

Payload

Steals online game credentials

Once installed, PWS:Win32/OnLineGames.AH will monitor, and attempt to steal, the credentials you type into the following websites:

  • aran.kr.gameclub.com
  • auth.siren24.com
  • baram.nexon.com
  • bns.plaync.com
  • booknlife.com
  • capogames.net
  • cultureland.co.kr
  • df.nexon.com
  • dk.halgame.com
  • elsword.nexon.com
  • hangame.com
  • happymoney.co.kr
  • heroes.nexon.com
  • id.hangame.com
  • itembay.com
  • itemmania.com
  • kr.battle.net
  • lcs.mezzo.hangame.com
  • login.nexon.com
  • netmarble.net
  • nexon.com
  • nxpay.nexon.com
  • pmang.com
  • poker.hangame.com
  • teencash.co.kr

Contacts remote hosts

PWS:Win32/OnlineGames.AH may also connect to the following remote hosts to download additional settings and components, or post its stolen information:

  • angel.frovez<removed>/cs0719
  • lullaby.dovzle<removed>/cs0719

Analysis by Alden Pornasdoro


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:

    In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InProcServer32
    Sets value: (default)
    With data: "<malware path and file name> "

    In subkey: HKLM\SOFTWARE\Classes\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
    Sets value: (default)
    With data: "0"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}
    Sets value: (default)
    With data: (value not set)

  • It also deletes the following registry entry if existing on your computer:

    HKCR\CLSID\SOS_OTP

Prevention


Alert level: Severe
First detected by definition: 1.47.667.0
Latest detected by definition: 1.195.956.0 and higher
First detected on: Nov 22, 2008
This entry was first published on: Nov 22, 2008
This entry was updated on: Feb 15, 2013

This threat is also detected as:
No known aliases