PWS:Win32/Mapdimp.F is a generic detection for a family of trojans that steal passwords for online games.
Installation
Upon execution, PWS:Win32/Mapdimp.F creates the following files in the Windows System folder:
- midimap<string>.tmp - is later renamed to midimap<string>.dll
- midimap<string>.dat - contains information on an encrypted website(s) to which collected passwords are sent
Where <string> is a 2 or 3 character hardcoded string, which depends on the Mapdimp variant. If <sample> contains 3 characters, the third character is a number. Sample file names are: midimapcb.dll , midimapqn3.dll , midimapwl.dll
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
PWS:Win32/Mapdimp.F registers its dropped DLL file by adding the following registry entries:
Adds value: "midimap<string>"
With data: "{4f4f0064-71e0-4f0d-0001-708476c7815f}"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Adds value: "{4F4F0064-71E0-4f0d-0001-708476C7815F}"
With data: ""
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Adds value: "(Default)"
With data: "<system folder>\midimap<string>.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{4F4F0064-71E0-4f0d-0001-708476C7815F}\InProcServer32
To avoid detection it also creates and executes a temporary batch file. The batch file deletes the currently running Mapdimp.F process and deletes itself.
The dropped DLL file, which is also detected as PWS:Win32/Mapdimp.F, is loaded in each process, where it checks for passwords for online games. These gathered passwords are then sent to the website(s) indicated by midimap<string>.dat.
The dropped DLL file also re-checks and re-registers itself via the system registry if the registry entries are deleted or modified.
Payload
Terminates Security-Related Processes
PWS:Win32/Mapdimp.F may terminate security-related processes, such as the following:
360tray.exe
360Safe.exe
Steals Sensitive Data
PWS:Win32/Mapdimp.F monitors for game processes, such as "client.exe" and steals user information such as the following:
To gather more information it also checks the contents of game configuration files, such as the following:
- \ect\home.ini
- ServerList.Dat
It also monitors specific windows that may be used to enter login information, such as those with the following titles:
All gathered information is then sent to remote websites, such as the following:
- 222.73.218.230
- caizhu50.com
- vv226688.net
Analysis by Patrik Vicol
