Follow:

 

Win32/Storark


Microsoft security software detects and removes this threat.
 
Win32/Storark is a family of trojans that steals online game passwords and sends this captured data to remote sites.


What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Storark is a family of trojans that steals online game passwords and sends this captured data to remote sites.
Installation
When executed, Win32/Storark makes a copy of itself and drops a DLL to the System directory using randomly generated file names (for example <system folder>\kapjezy.dll). It then modifies the registry to load the DLL at each Windows start by adding values and data specific to the particular variant to the following subkeys:
Adds value: "{<clsid>}"
With data: “0”
To subkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS
 
Adds value:  “(default)”
With data:  "<system folder>\<dll filename>"
To subkey: HKLM\SOFTWARE\Classes\CLSID\<clsid>\INPROCSERVER32
where <clsid> is a hex string for the CLSID and <dll filename> is the filename of the dropped DLL mentioned above.

For example:
Adds value:  "(default)"
With data: "<system folder>\kapjezy.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{5A321487-4977-D98A-C8D5-6488257545A5}\INPROCSERVER32
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
 
It then makes a further modification in the registry:
Adds value: "AppInit_DLLs"
With data: “ <system folder>\<dll filename>”
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
 
Finally, it drops a batch file that is used to delete the original copy of Trojan:Win32/Storark that was first executed.
Payload
Steals Online Game Passwords
Win32/Storark  sets up hooks in order to capture login information for popular online games. It then sends the captured data to a remote site.
 
Changes System Security Settings
Win32/Storark disables Windows Auto Update by modifying the following registry entry:
Adds value:  “NoAutoUpdate”
With data: "1"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
 
It also disables the Windows firewall by modifying the following registry entry:
 
Adds value:  “EnableFirewall”
With data: "0"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
 
Analysis by Chun Feng

Symptoms

The following can indicate that you have this threat on your PC

    • Presence of the following registry entry:
       
      Adds value: "{<clsid>}"
      With data: “0”
      To subkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS

      Adds value:  “(default)”
      With data:  "<system folder>\<dll filename>"
      To subkey: HKLM\SOFTWARE\Classes\CLSID\<clsid>\INPROCSERVER32 where <clsid> is a hex string for the CLSID and <dll filename> is the filename of the dropped DLL mentioned above.

      Adds value: "AppInit_DLLs"
      With data: “ <system folder>\<dll filename>”
      To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
       
      Adds value:  “NoAutoUpdate”
      With data: "1"
      To subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
       
      Adds value:  “EnableFirewall”
      With data: "0"
      To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

Prevention


Alert level: Severe
This entry was first published on: May 30, 2008
This entry was updated on: Jul 16, 2015

This threat is also detected as:
No known aliases