Threat behavior
Worm:Win32/Wowsteal.ZE is a password stealer for the computer video game World of Warcraft (WoW). This malware sends captured passwords to a remote destination configured by the malware author, spreads by copying itself to removable drives and uses advanced stealth techniques to hide its presence on the affected machine.
Installation
When Worm:Win32/Wowsteal.ZE is executed, it writes a copy of itself to <system folder>\avpo.exe. The Trojan adds an entry in the registry to execute its copy at Windows startup:
Adds value: avpo
With data: <system folder>\avpo.exe
Within subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Worm:Win32/Wowsteal.ZE launches Internet Explorer and injects its code into this now running process.
Payload
Advanced Stealth Features
Worm:Win32/Wowsteal.ZE drops a malicious DLL, and a rootkit driver into the %Temp% folder using a random file names such as 7q5y8bk.dll and sm1iryf.sys. This rootkit component (identified as VirTool:Win32/Vanti.gen!A) conceals the presence of Worm:Win32/Wowsteal.ZE.
Steals Sensitive Information
The worm injects its code from the dropped DLL into running processes. The code monitors for the initiation of programs named WOW.EXE (World of Warcraft) and attempts to intercept logon and password data exchange between the local running application and remote Web servers accepting the login credentials.
Downloads and Executes Arbitrary Files
This worm may also attempt to download additional programs or malware from remote Web servers.
Spreads Via…
Removable Storage Devices and Drives
Worm:Win32/Wowsteal.ZE may copy itself to removable storage devices or drives as 'ntde1ect.com'. The worm then drops an autostart configuration file 'Autorun.inf' to the device or drive. When this drive is attached to computers and autorun is engaged, the config fule Autorun.inf launches ntde1ect.com. The file autorun.inf is identified as Worm:Win32/Wowsteal.ZE!inf.
Prevention
