Threat behavior
PWS:Win32/Frethog.AD is a password-stealing trojan that targets confidential data, such as account information, from Massive Multiplayer Online Role Playing Games (MMORPG) like World of Warcraft (WoW), for example.
Installation
When executed, PWS:Win32/Frethog.AD copies itself using a random file name in the <system folder> or %windir%. It also has a DLL component, which could be dropped in the <system folder>.
The DLL component, which also has a random file name, contains the functionality to perform the password-stealing payload. It is injected into the "explorer.exe" process.
Win32/Frethog.AD may then modify registry values in order to execute itself at each Windows start. For example:
Adds value: "ckhfs4"
With data: "%windir%\ckhfs4.exe"
To subkey: HKLM\SoftWare\Microsoft\Windows\CurrentVersion\Run\
Note that depending on the sample of PWS:Win32/Frethog.AD, the above registry entries contain different values and data.
Payload
Modifies System Security Settings
PWS:Win32/Frethog.AD attempts to circumvent security products by attempting to terminate the Kingsoft Antivirus running process, if found in a system.
Steal MMORPG Logon Credentials
The trojan attempts to get login account information for one or more of the following MMORPGs and affiliated products:
- Rainbow Island
- Cabal Online
- A Chinese Odyssey
- Hao Fang Battle Net
- Lineage
- Gamania
- MapleStory
- qqgame
- Legend of Mir
- World Of Warcraft
The captured details are then sent to a remote server.
Analysis by Oleg Petrovsky
Prevention
