Trojan-PSW.Win32.OnLineGames.rlh

Detection date: February 19, 2008

Specifications

This malicious program is a Trojan. It is an EXE file of 112736 bytes in size.

Setting

The Trojan copies its executable file to the Windows system directory:

% System% kavo.exe

To ensure that the Trojan automatically runs every time the system restarts, the Trojan writes its executable file to the system registry:

[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"kava" = "% System% kavo.exe"

The Trojan also extracts the following file from the executable file itself:

% System% kavo0.dll

This file has a capacity of 96768 bytes. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.rlb .

The Trojan also extracts the following file from the executable file itself:

% Temp% .dll

This file has a capacity of 29994 bytes. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.yyq .

Work

The Trojan will download the .dll file to all processes launched in the system. The Trojan also blocks mouse and keyboard events if any of the following processes are run:

maplestory.exe
dekaron.exe
gc.exe
RagFree.exe
Ragexe.exe
ybclient.exe
wsm.exe
sro_client.exe
so3d.exe
ge.exe
elementclient.exe

It detects traffic sent to the following addresses:

61.220.60. ***
61.220.60. ***
61.220.62. ***
*** 6220.56. ***
*** 6220.56. ***
61.220.62. ***
61.220.62. ***
203.69.46. ***
203.69.46. ***
220,130,113. ***

It will collect the following game account data:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver

and some other games. Trojans also analyze the configuration files of these games and try to collect other gamer's accounts on the server.

Collected data will be sent to the remote villain's site.

The Trojan also changes the following system registry parameter values:

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFol
derHiddenSHOWALL] "CheckedValue" = "0"
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"

[HKCUSOFTWAREMicrosoftWindowsCurrentVersionPociliesExplorer]
"NoDriveTypeAutoRun" = "0x91"

Trojans also try to block the following processes:

KAV
RAV
AVP
KAVSVC /

The Trojan also has properties like computer worms, which can be spread through removable storage devices. It copies itself the executable file to the root of each device such as:

: h2.com

With is the relevant drive name.

In addition, Trojans also put executable files into the root directory of all device drives:

: autorun.inf

This file will launch the Trojan executable file every time the user opens the infected device with Explorer.

Instructions for removal

If your computer does not have an antivirus program that updates automatically, or does not have a complete antivirus solution, follow these instructions to remove the malware from your computer:

1. Delete the following file:

% System% kavo.exe

2. Restart the computer.

3. Delete the original Trojan file (file location depends on how it originally entered the victim computer).

4. Delete the following system registry key parameter:

[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"kava" = "% System% kavo.exe"

5. Restore the original system registry key values:

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFol
derHiddenSHOWALL]
"CheckedValue" = "0"
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced]
"Hidden" = "2" "ShowSuperHidden" = "0"
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionPociliesExplorer]
"NoDriveTypeAutoRun" = "0x91"

6. Delete the following file:

% System% kavo0.dll

7. Delete the folder containing temporary files (% Temp%).

8. Delete the following file on all mobile devices:

: h2.com
: autorun.inf

with is the name of the mobile device drive

9. Update the virus database and perform a full computer scan.