Threat behavior
PWS:Win32/Frethog.AG is password-stealing trojan that targets confidential data, such as account information, from Massive Multiplayer Online Role Playing Games (MMORPG) such as World of Warcraft (WoW), for example.
Installation
When executed, PWS:Win32/Frethog.AG copies itself to the system directory as a hidden file. Here are some of the typical filenames used:
amvo<number>.exe
kavo<number>.exe
awda<number>.exe
avpo<number>.exe
The functionality to perform PWS:Win32/Frethog.AG's password-stealing payload is contained in a dll component which is also dropped to the system directory. Here are some of the typical filenames used:
amvo<number>.dll
avpo<number>.dll
kavo<number>.dll
<random 7 or 8 letter name>.dll
The dropped dll (identified as PWS:Win32/Frethog.AG.dll) is injected into the common Windows shell 'Explorer.exe'. Win32/Frethog.AG may then modify following registry values in order to execute itself at each Windows start.
Adds value: "amva"
With data: "<system folder>\amvo<number>.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "avpa"
With data: "<system folder>\avpo<number>.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Modifies System Security Settings
The dropper attempts to circumvent security products by:
Attempting to prevent AVP Antivirus from displaying notifications regarding system changes by closing windows used by this product.
Attempting to terminate Ravmon.exe if it is found to be running on the affected system.
Steals MMORPG Logon Credentials
The dropped dll, once injected into 'Explorer.exe', can obtain login account information for one or more of the following MMORPG and affiliated products:
Rainbow Island
Cabal Online
A Chinese Odyssey
Hao Fang Battle Net
Lineage
Gamania
MapleStory
qqgame
Legend of Mir
World Of Warcraft
The captured details are sent to a remote server.
Analysis by Francis Allan Tan Seng
Prevention
