TrojanDropper:Win32/Tidola.A

Win32/Tidola is a family of trojans that may consist of several components, and may be used to facilitate the operation of other malware that targets online games (such as Win32/Helpud).

When executed, Win32/Tidola's executable component (detected as TrojanDropper:Win32/Tidola.A) copies %system%\rundll32.exe to %system%\r0<random 4 numbers>.exe (for example r05013.exe) and drops a DLL to %temp%\~<random 6 Numbers> (this file may be detected as PWS:Win32/Tidola.A). The DLL is then executed using the previously created copy of %system%\rundll32.exe.

Modifies Hosts File
The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). In this case, Tidola modifies the hosts file to stop users from accessing particular sites associated with online gaming.

 

Tidola modifies the hosts file in order to redirect the affected user's attempts to connect to the following sites:
passport.wanmei.com
reg.163.com
sde.game.sohu.com
account.ztgame.com
pwd.sdo.com
reg.91.com
pass.kingsoft.com
passport.yuyan.com

 

Steals Online Game Details
Tidola is directly or indirectly responsible for stealing online game details for online games based in China.