Threat behavior
PWS:Win32/Frethog.MV is a member of
PWS:Win32/Frethog - a large family of password-stealing trojans that target confidential data, such as account information, from Massive Multiplayer Online Games (MMORPG) such as World of Warcraft, for example.Installation
PWS:Win32/Frethog.MV may be installed by other malware and is present as a DLL component. The trojan may also copy itself to the Windows recycle bin of the local drive and removable flash drives as the following:
\recycler\KB970587.SYS
Payload
Terminates security processes
This trojan attempts to terminate the following security processes:
360tray.exe
360sd.exe
avp.exe
ravmond.exe
kvsrvxp.exe
kavstart.exe
Modifies Windows system files
The trojan prevents Windows from monitoring changes in the system files "imm32.dll" and "ksuser.dll" so it can modify them. PWS:Win32/Frethog.MV modifies the following file, after which it is detected as Virus:Win32/Frethog.G:
%SystemRoot%\system32\imm32.dll
The trojan also replaces the original system file “%SystemRoot%\system32\ksuser.dll” and the original is saved as a file "ksuser.bak".
Steals MMORPG logon credentials
This trojan may steal online game passwords and other login related data and upload the captured information to a predefined remote server. In the wild, this trojan was observed monitoring the application "xy2.exe" for this purpose.
Additional Information
Analysis by Jingli Li
Prevention
