When run, if the targeted game is running, Win32/Zuten terminates the game's process. The main executable then drops a DLL component with a random filename and loads it. The dropper then deletes itself.
When loaded, the DLL component may drop a second DLL, which is used to hide files, and a driver which is used to terminate processes.
Steals sensitive information
The Win32/Zuten family steals information related to online games. It accomplishes this by injecting a DLL into the targeted game process and patching API calls. The collected game information is then posted to a remote website. Some of the games targeted by Win32/Zuten include the following:
Fantasy Westward Journey
Legend of Mir
Ruler of the Land
Variants of Win32/Zuten usually search for and terminate processes related to security products, including the following:
Uses advanced stealth
Variants of Win32/Zuten may drop a DLL component that is used to hide files associated with the trojan. This DLL may be detected as VirTool:WinNT/Zuten.