PWS:Win32/Dozmot.C is a password stealer trojan that captures logon credentials for the multi-player online games "World of Warcraft" and "Final Fantasy XI". This trojan may download and execute other malware.
Installation
PWS:Win32/Dozmot.C is installed by
TrojanDropper:Win32/Dozmot.C and is present as a file having a random file name as in the following example:
<system folder>\e5jid7my.dll
The registry is modified as in the following example:
Adds value: "dll"
With data: "<system folder>\e5jid7my.dll
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
PWS:Win32/Dozmot.C is then launched by the dropper with the aid of the Windows application "rundll32.exe", after which the dropper deletes itself and terminates.
PWS:Win32/Dozmot.C injects its code into running processes and behaves different depending on the process to which it is attached as described below.
Payload
Launches Internet Explorer
If PWS:Win32/Dozmot.C is injected into the processes "explorer.exe", "wmiprvse.exe", "alg.exe", "wuauclt.exe", "wscntfy.exe" or "ctfmon.exe", the trojan will load Internet Explorer using a paramater as in this example:
%Program Files%\Internet Explorer\iexplore.exe About:_.=[Madam,I'm Adam]=._
The .DLL is unloaded and then scheduled to be deleted at the next Windows reboot.
Downloads and Executes Arbitrary Programs
If the PWS:Win32/Dozmot.C is injected into "iexplore.exe" and iexplore.exe was called with "About:_.=[Madam,I'm Adam]=._" as parameters, the trojan sends data to the domain 'b35.info'. The domain uses a server-side script to log the sent data. The data is sent in the following format:
<domain and subfolder>/lin.php?m=<MAC Address>&g=<installed game value>
Where <installed game value> is a concatenation of the following:
"wow+" - if the registry subkey 'HKLM\SOFTWARE\Blizzard Entertainment\World of Warcraft' is present
"ffxi" - if the registry subkey 'HKLM\SOFTWARE\PlayOnline[US|JP|EU]' is present
If the server replies "ok", the trojan retrieves a data file from the same domain as 'url.txt'. If this step fails, it will retry 5 times at 10 second intervals after which the process 'iexplore.exe' is terminated.
The data file 'url.txt' contains a list of NULL delimited URLs. PWS:Win32/Dozmot.C will download each and, if executable, it will spawn processes from the downloaded files.
Sends Other Data
If PWS:Win32/Dozmot.C is injected into the process "wow.exe" (World of Warcraft) or "pol.exe" (PlayOnline Viewer), the trojan patches computer memory in order to retrieve game data. The trojan then connects to the domain 'b35.info' and submits retrieved game data.
Analysis by Cristian Craioveanu
