PWS:Win32/OnLineGames.BX is a detection for a trojan that steals account information for certain online games and instant messaging applications. It logs the stolen account information by intercepting network traffic and monitoring specific APIs. It then sends the stolen information to a remote server.
Steals Account Information
PWS:Win32/OnLineGames.BX is loaded when applications try to use the Windows Socket functions. It attempts to intercept network connections, and receive, send, and close operations if the process name is any of the following:
Most of these processes are associated with online games.
PWS:Win32/OnLineGames.BX tries to intercept the 'CryptEncrypt' and 'CryptDecrypt' APIs and network connection operations if the process name is any of the following:
Most of these processes are associated with instant messaging and other online applications.
It then filters the intercepted network traffic to log information, including the following:
- Account name
- Login server
PWS:Win32/OnLineGames.BX then sends the logged information to a remote server. One remote server it has been observed to send information to is 'ccaatt.com'.
Analysis by Shawn Wang