PWS:Win32/OnLineGames.FR is a trojan that steals passwords and other sensitive information. It can also download arbitrary files from certain Web servers.
Installation
Upon execution, PWS:Win32/OnLineGames.FR drops its DLL component as the following files:
- <system folder>\sysmxd.dll - also detected as PWS:Win32/OnLineGames.FR
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
This DLL component is then injected into the "explorer.exe" process.
PWS:Win32/OnLineGames.FR also registers its DLL component by creating the following registry entries:
Adds value: {3FDEB171-8F86-0004-0001-69B8DB553683}
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Adds value: "(default)"
With data: "0"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}
Adds value: "(default)"
With data: "<system folder>\sysmxd.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{3FDEB171-8F86-0004-0001-69B8DB553683}\InProcServer32
Payload
Downloads arbitrary files
PWS:Win32/OnLineGames.FR downloads files from certain servers, such as the following:
- kaonimabi.cn
- rinimabi.cn
- ghosthack.com.cn
The downloaded file is then saved as the following:
Steals sensitive information
Using its DLL component, PWS:Win32/OnLineGames.FR can steal sensitive information, such as user names and passwords, from certain Web sites.
Analysis by Francis Allan Tan Seng
