Win32/Zuten is a family of malware that steals information from online games.
When executed, if the targeted game is running, Win32/Zuten terminates the game's process. The main executable then drops a DLL component with a random filename and loads it. The dropper then deletes itself.
When loaded, the DLL component may drop a second DLL, which is used to hide files, and a driver which is used to terminate processes.
Steals Sensitive Information
The Win32/Zuten family steals information related to online games. It accomplishes this by injecting a DLL into the targeted game process and patching API calls. The collected game information is then posted to a remote website. Some of the games targeted by Win32/Zuten include the following:
Legend of Mir
Ruler of the Land
Fantasy Westward Journey
Variants of Win32/Zuten usually search for and terminate processes related to security products, including the following (for example):
Uses Advanced Stealth
Variants of Win32/Zuten may drop a DLL component that is used to hide files associated with the trojan. This DLL may be detected as VirTool:WinNT/Zuten.
Analysis by Ray Roberts