Follow:

 

PWS:Win32/OnLineGames.FR


PWS:Win32/OnLineGames.FR is a trojan that steals passwords and other sensitive information. It can also download arbitrary files from certain Web servers.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

PWS:Win32/OnLineGames.FR is a trojan that steals passwords and other sensitive information. It can also download arbitrary files from certain Web servers.
Installation
Upon execution, PWS:Win32/OnLineGames.FR drops its DLL component as the following files:
 
  • <system folder>\sysmxd.dll - also detected as PWS:Win32/OnLineGames.FR
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
This DLL component is then injected into the "explorer.exe" process.
 
PWS:Win32/OnLineGames.FR also registers its DLL component by creating the following registry entries:
 
Adds value: {3FDEB171-8F86-0004-0001-69B8DB553683}
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
 
Adds value: "(default)"
With data: "0"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}
 
Adds value: "(default)"
With data: "<system folder>\sysmxd.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}\InProcServer32
Payload
Downloads arbitrary files
PWS:Win32/OnLineGames.FR downloads files from certain servers, such as the following:
 
  • kaonimabi.cn
  • rinimabi.cn
  • ghosthack.com.cn
 
The downloaded file is then saved as the following:
 
  • %windir%\ver.txt
 
Steals sensitive information
Using its DLL component, PWS:Win32/OnLineGames.FR can steal sensitive information, such as user names and passwords, from certain Web sites.
 
Analysis by Francis Allan Tan Seng

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:
    <system folder>\sysmxd.dll
  • The presence of the following registry modifications:
    Added value: "(default)"
    With data: "<system folder>\sysmxd.dll"
    To subkey: HKLM\SOFTWARE\Classes\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}\InProcServer32

Prevention


Alert level: Severe
First detected by definition: 1.63.1010.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Aug 06, 2009
This entry was first published on: Jan 14, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan-PSW.Win32.Agent.lbu (Kaspersky)
  • PSW.OnlineGames.BEMW (AVG)
  • Generic.PWStealer.82D3AA5E (BitDefender)
  • Trojan.PWS.Mgame.12 (Dr.Web)
  • Win32/PSW.OnLineGames.ODD (ESET)
  • Trojan-Banker.Win32.Banker (Ikarus)
  • PWS.y (McAfee)
  • Trj/Lineage.KCJ (Panda)
  • Infostealer.Onlinegame (Symantec)