PWS:Win32/OnLineGames.GP is a detection for a trojan that steals account information for certain online games. It also infects particular files in order to automatically execute the trojan components.
Installation
This trojan may be downloaded and installed by other malware such TrojanDownloader:Win32/Chekafe.A or may be installed when visiting a malicious Web sites. The trojan may be present as the following files:
%temp%\<3 random letters>.tmp
%temp%\<5 random letters>.drv
%windir%\system\<3 random letters>.tmp
%windir%\system\<5 random letters>.drv
For example:
%temp%\ave.tmp
%temp%\fdkjl.drv
%windir%\system\ave.tmp
%windir%\system\fdkjl.drv
PWS:Win32/OnLineGames.GP modifies certain system files on the local computer. Example of files it tries to modify are the following files, also commonly related to DirectX library files:
dsound.dll
ddraw.dll
d3d9.dll
olepro32.dll
The target file is copied with a file extension .MOD or .REP as a temporary file:
<target file name>.mod or
<target file name>.rep
A copy of the original file may be kept in the same folder as the following file name:
<target file name>.dll<5 random letters> (for example, "dsound.dllXumDR")
When run, it creates the mutex name "__INF_<modified file name>__", for example "__INF_dsound.dll__".
The target file is modified to execute or load the dropped components having .DRV or .TMP file extensions, for example:
%temp%\ave.tmp
%temp%\fdkjl.drv
%windir%\system\ave.tmp
%windir%\system\fdkjl.drv
As a cleanup process, malware that installs this trojan creates a file named "delself.bat" in the Temporary folder in order to delete the executed copy of the malware installer.
Payload
Disables WFP
Some variants of this malware disable Windows File Protection (WFP) by modifying registry data.
Modifies value: "SFCDisable"
With data: "4294967197" ("0xFFFFFF9D")
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Captures and sends data to a remote server
PWS:Win32/OnLineGames.GP searches the processes in memory related to several online games to find particular information, such as the following:
- User name and password
- Character information
- Gold count
The information is then sent to is then sent to a remote server. Example of file names the trojan monitors are:
- PlayCHSLauncher.exe - Tower of Eternity
- ElementClient.exe - Perfect World
- DNF.exe - Dungeon & Fighter
Additional Information
Since several online games are likely to require DirectX components, the modified DirectX component automatically execute the malware upon the start of the online game.
Analysis by Elda Dimakiling
