Threat behavior
PWS:Win32/OnLineGames.FT is detection for a trojan that steals user data related to online games, including program registration keys, passwords, keystrokes and other related information.
Installation
When run, PWS:Win32/OnlineGames.FT drops two files:
%windir%\fonts\Q9UnbAWWNuSv4.fon - PWS:Win32/OnLineGames.FT.dll
%windir%\fonts\yGMHUAj5Npydj8FZ.Ttf - encrypted data file
Win32/OnLineGames.FT then loads the dropped component 'Q9UnbAWWNuSv4.fon' as a DLL and calls the export named "JUFndB4pARSJ". The trojan queries the following registry subkey for the value "{EA25F4E7-8B67-452A-B9DD-B38C526250D3}"
HKLM\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
If this value does not exist, it is created along with the following subkey and corresponding data:
Adds value: "ThreadingModel"
With data: "Apartment"
To subkey: HKCR\CLSID\{EA25F4E7-8B67-452A-B9DD-B38C526250D3}\InprocServer32
Additionally, the file '<system folder>\VerCLSiD.exe' is deleted.
Payload
Captures logon credentials
The trojan captures logon credentials and other related information for popular online games. Captured information may be sent to an attacker via HTTP protocol.
Analysis by Dan Kurc
Prevention
