Follow:

 

PWS:Win32/OnLineGames.ZDV!dll


PWS:Win32/OnLineGames.ZDV!dll is a detection for a password-stealing trojan that targets online games.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

PWS:Win32/OnLineGames.ZDV!dll is a detection for a password-stealing trojan that targets online games.

Installation

PWS:Win32/OnLineGames.ZDV!dll is installed by other malware, such as PWS:Win32/OnLineGames.ZDV, and is present as a DLL file in the Windows system folder as the following:

  • <system folder>\imm32.dll

The malware replaces a legitimate copy of 'imm32.dll' with its own copy; the malware is run each time a program that uses this system file is executed, for example Internet Explorer or Mozilla Firefox.

For more details about its installation, see the description for PWS:Win32/OnLineGames.ZDV elsewhere in the encyclopedia.

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Payload 

Steals sensitive information

When PWS:Win32/OnLineGames.ZDV!dll is loaded by iexplore.exe, it attempts to capture logon information and user account credentials when the affected user attempts to log on to the following websites:

  • lineage.plaync.co.kr
  • hangame.com
  • aion.plaync.co.kr
  • bm.ndoors.com
  • pmang.com
  • login.netmarble.net

It also monitors and captures user credentials when the trojan is loaded by the below processes, which are related to online games:

  • dnf.exe
  • MapleStory.exe
  • lin.bin
  • ff2client.exe
  • heroes.exe
  • Game.exe
  • ExLauncher.exe
  • TERA.exe
  • OTP
  • AION.bin

The collected information may be logged into the following files located in the <system folder>:

  • AionLog.ini
  • DfLog.ini
  • FFLog.ini
  • GameLog.ini
  • hangame.ini
  • LuoqiLog.ini
  • MXDLog.ini
  • pmangLog.ini
  • TianyiLog.ini

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The captured data imay be sent to one of the following sites via HTTP POST:

  • 2shanpao.com/df/post.asp
  • qiangha88e.info/dnfootp/post.asp
  • 2shanpao.com/mx/post.asp
  • mxdOTP.com/post.asp
  • 2shanpao.com/t1/post.asp
  • tianyiOTP.com/post.asp
  • 2shanpao.com/fa/post.asp
  • 2shanpao.com/pm/post.asp
  • 2shanpao.com/ma/post.asp
  • 2shanpao.com/ha/post.asp
  • 2shanpao.com/lq/p ost.asp
  • 2shanpao.com/gh/post.asp
  • 2shanpao.com/te/post.asp
  • qiangha88f.info:8898/dt/fche/post.asp
  • xclf.info/bbbb/yonghengxx/post.asp
  • xclf.info/bbbb/r2r2/post.asp
  • xclf.info/bbbb/itembayxx/post.asp
  • xclf.info/bbbb/itemmaniaxx/post.asp
Additional information

This trojan PWS:Win32/OnLineGames.ZDV!dll exits if it is loaded by any of the following processes:

  • SkyMon.exe
  • V3Light.exe
  • V3LSvc.exe
  • V3LTray.exe
  • SystemMon.exe
  • ALYac.aye
  • AyAgent.aye

Analysis by Jonathan San Jose


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:

    <system folder>\imm32.dll

Prevention


Alert level: Severe
First detected by definition: 1.97.544.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jan 28, 2011
This entry was first published on: Jan 28, 2011
This entry was updated on: Jun 17, 2011

This threat is also detected as:
No known aliases