Follow:

You have been re-routed to the PWS:Win32/Zuten write up because PWS%3aWin32%2fZuten has been renamed to PWS:Win32/Zuten
 

PWS:Win32/Zuten


Win32/Zuten is a family of malware that steals information from online games.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Win32/Zuten is a family of malware that steals information from online games.
Installation
When executed, if the targeted game is running, Win32/Zuten terminates the game's process. The main executable then drops a DLL component with a random filename and loads it. The dropper then deletes itself.
 
When loaded, the DLL component may drop a second DLL, which is used to hide files, and a driver which is used to terminate processes.
Payload
Steals Sensitive Information
The Win32/Zuten family steals information related to online games. It accomplishes this by injecting a DLL into the targeted game process and patching API calls. The collected game information is then posted to a remote website. Some of the games targeted by Win32/Zuten include the following:
 
MapleStory
ZhengTu
Perfect World
Legend of Mir
Ruler of the Land
Rainbow Island
Eudemons Online
Fantasy Westward Journey
 
Terminates Processes
Variants of Win32/Zuten usually search for and terminate processes related to security products, including the following (for example):
 
avp.exe
RavMon.exe
360Tray.exe
360Safe.exe
killer_Gdwli32.exe
QQDoctor.exe
 
Uses Advanced Stealth
Variants of Win32/Zuten may drop a DLL component that is used to hide files associated with the trojan. This DLL may be detected as VirTool:WinNT/Zuten.
 
Analysis by Ray Roberts

Symptoms

System Changes
There are no obvious system changes that may indicate the presence of PWS:Win32/Zuten.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.155.1498.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jun 03, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases