Threat behavior
PWS:Win32/OnLineGames.ZDA!dll is a trojan that captures logon credentials for certain online games and sends the captured data to a remote server.
Installation
This trojan is installed by other malware such as
PWS:Win32/Kuoog.A and may be present as a DLL component, as in the following example:
%TEMP%\mpcor_4194304.dll
The trojan runs at each Windows startup via a registry modification, as in the following example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
To data: ",%TEMP%\mpcor_4194304.dll"
The trojan creates a mutex named "DBWinMutex" to ensure that multiple copies of the trojan do not execute simultaneously.
Payload
Captures online gaming credentials
PWS:Win32/OnLineGames.ZDA!dll attempts to capture logon account credentials for the popular role playing games "World of Warcraft" (WoW) and AION online games. We have observed captured data being sent to the following remote host in the wild:
- kqs.iwillhavesexygirls.com
Analysis by Xinrui Qin
Prevention
