Trojan.Win32.OnLineGames.IZ

by alexander.adamov on May 14th, 2012 in Malware Descriptions.

Platform: Win32, DLL
Type: Trojan
Size: 81384 bytes
Packer: UPX
Language: C++
MD5: 03750525C4BC10E36A40733EAEE37216
SHA1: B2A47CAEC704197997AFC5D34B90CA22929FB5BD

Summary

Trojan.Win32.OnLineGames.IZ is a Trojan program designed to steal user passwords to online games and messenger clients. 

Technical Details

Installation

The Trojan installs itself to the system using another malicious program which loads the Trojan’s library to the address spaces for the current user processes.

Payload

Once launched, the Trojan checks the name of the original file process it is run in. If the file name is one of the following, the Trojan finishes its work:

  • QQLogin.exe is an executable file of Tencent QQ,the most popular free instant messaging computer program in mainland China.
  • DNF.exe is an executable file of Dungeon FighterOnline, a free fighting multiplayer online game.

If the "game.exe" file corresponds to the parent process, the Trojan launches a separate thread to steal user account information.

In addition, the Trojan steals content of the configuration file of the game “Forsaken World”:

%GameDir%\rolesettings\currentserver.ini

where %GameDir% is a Forsaken World client installation folder.

In addition, the Trojan can capture the screen images and save them to the current user's temporary folder with the ".jpg" extension, using a random name.

The collected information is then sent to the intruder server as an HTTP request:

http://da***bhm.com

Removal Recommendations

  1. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  2. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).