Trojan.Win32.OnlineGames

by alexander.adamov on October 3rd, 2012 in Malware Descriptions.

Platform: Win32
Type: Backdoor
Size: 40448 bytes
Packer: UPX
Unpacked size: ~95 Kb
Language: C++
MD5: 8fb5b6fcad0d7e67bf750a9194f19dfc
SHA1: 4749575d1b929f6f03f196ad6c7d04ee8d940dbd
Aliases : Trojan.Win32.Generic!BT

Summary

Trojan.Win32.OnlineGames is a program that belongs to the Trojan family stealing passwords to online game accounts.

Technical Details

Payload

To control the uniqueness of its process in the system, the Trojan creates a unique identifier with the following name:

LJKIJIJIijils

The Trojan then disables UAC (User Account Control) by creating the following parameters under the registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
"ConsentPromptBehaviorAdmin" = "0"
"PromptOnSecureDesktop" = "0"

From its body, the Trojan then extracts a dynamic library (DLL) and saves it to the Windows system directory under the "WinSocketA.dll" name:

%System%\WinSocketA.dll

The file is 76288 bytes in size. It is detected as Trojan.Win32.Generic!BT by Ad-Aware.

MD5: 643d339139593341328f3bab63c60512
SHA1:bec8ab4f2b4f142b22c06e74dfce262685d6de4

To automatically inject the extracted library into the address space of all processes being run on the system, the Trojan adds a link to the malicious DLL under the registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "%System%\WinSocketA.dll"

The file description is the same as system one: ws2help.dll.

Thus, the Trojan avoids its malicious module detection by autorun inspectors:

The Trojan extracts from its body a driver and saves it to the root directory (С:\) under the following name:

С:\WINDOWS<rnd>.sys

where <rnd> is a random alphanumeric sequence, for example, "Umcrhk1".

The file is 2560 bytes in size. It is detected as Trojan.Win32.Generic!BT by Ad-Aware.

MD5: 567f509c29af66f7488c4c0b8d3832f5
SHA1:dc682de47e97cc87ddc8128adbb663e388f6ec54

Using the driver, the Trojan ends the following processes on the system:

V3LTray.exe
AYUpdSrv.aye
AYAgent.aye
AYRTSrv.aye
nsavsvc.npc
NaverAgent.exe
NSVMON.NPC

Afterwards, the "С:\WINDOWS<rnd>.sys" driver is removed.

Using the "%System%\WinSocketA.dll" dynamic library (DLL), the Trojan performs the following actions:

  • Injects the "%System%\WinSocketA.dll" library into the following system processes to steal user’s confidential data:

dnf.exe
MapleStory.exe
lin.bin
ff2client.exe
heroes.exe
ExLauncher.exe
TERA.exe
OTP.exe
AION.bin
wow.exe
fairyclient.exe
dkonline.exe
Diablo III.exe
DKonline.exe

  • Analyzes traffic to the following addresses:

teencash.co.kr
dk.halgame.com
aion.plaync.co.kr
mabinogi.nexon.com
kr.battle.net
df.nexon.com
hangame.com
netmarble.net
pmang.com

  • Ends the following system processes while injecting a malicious library into their address space:

AYAgent.aye
AYUpdSrv.aye
AYServiceNT.aye
AYRTSrv.aye
SystemMon.exe
SkyMon.exe
nsvmon.npc
nvc.npc
nvcagent.npc
Nsavsvc.npc
V3LTray.exe
V3LSvc.exe
V3Light.exe
SgSvc.exe
sgrun.exe
InjectWinSockServiceV3.exe

The collected information is sent as HTTP requests to the following attacker’s servers:

hxxp://z1.8u8uccww.com/666dnf/post.asp
hxxp://zotp.8u8uccww.com/mox2/post.asp
hxxp://z1.8u8uccww.com/666mxd/post.asp
hxxp://motp.8u8uccww.com/mxdotp/post.asp
hxxp://z1.8u8uccww.com/666ty/post.asp
hxxp://z1.8u8uccww.com/666pmang/post.asp
hxxp://z1.8u8uccww.com/666pmang/post.asp
hxxp://z1.8u8uccww.com/666naima/post.asp
hxxp://z1.8u8uccww.com/666hangame/post.asp
hxxp://z1.8u8uccww.com/666luoqi/post.asp
hxxp://z1.8u8uccww.com/666tera/post.asp
hxxp://z1.8u8uccww.com/666pmang/post.asp
hxxp://z1.8u8uccww.com/666yh/post.asp
hxxp://z1.8u8uccww.com/666wow/post.asp
hxxp://z1.8u8uccww.com/666dk/post.asp
hxxp://z1.8u8uccww.com/666lq/post.asp
hxxp://z1.8u8uccww.com/666anhei3/post.asp
hxxp://zotp.8u8uccww.com/mox4/post.asp
hxxp://z1.8u8uccww.com/666cash/post.asp

The Trojan removes itself once it finishes its work.

Removal Recommendations

  1. Change the registry key value (How to Work with System Registry):
  2. [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs" = ""
    [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system]
    "EnableLUA" = "1"
    "ConsentPromptBehaviorAdmin" = "2"
    "PromptOnSecureDesktop" = "1"

  3. Delete the file: 
  4. %System%\WinSocketA.dll

  5. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  6. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
  7. Change passwords to all online game accounts.