Content

PWS-Mmorpg!hh

Type
Trojan
SubType
Password Stealer
Discovery Date
11/05/2009
Length
Minimum DAT
5793 (11/05/2009)
Updated DAT
5798 (11/10/2009)
Minimum Engine
5.2.00
Description Added
11/05/2009
Description Modified
11/23/2009 1:22 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution the malware binary creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36A1DF7-6582-4160-B925-59A34E39FE30}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36A1DF7-6582-4160-B925-59A34E39FE30}\InprocServer32

Above mentioned registry ensures that the malware binary registers with the compromised system and executes upon every boot.

When executed the malware adds the following registry entries:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36A1DF7-6582-4160-B925-59A34E39FE30}\]
    "InprocServer32\:" = "C:\WINDOWS\system32\EMQzJJURMfVkrkEx9GJ.inf"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36A1DF7-6582-4160-B925-59A34E39FE30}\InprocServer32\]
    "ThreadingModel:" = "Apartment"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
    "{D36A1DF7-6582-4160-B925-59A34E39FE30}:" = "" From the above mentioned registry entry the malware binary hooks itself into all running application and monitors users activity

The malware achieves this by registering itself with "ShellExecuteHooks" which basically monitors the running processes of the system.

Upon execution the malware binary deletes itself and drops the following files to the compromised user system:

  • %WinDir%\Downloaded Program Files\SvS2DJAqqTvtTYEU.Ttf
  • %SysDir%\EMQzJJURMfVkrkEx9GJ.inf [Detected as PWS-Mmorpg!hh]

The following behaviors were seen with this particular version of the PWS-Mmorpg!hh:

  • Drops the above mentioned file in %SysDir%
  • Hooks itself into all running process and monitors user activity.
  • Steals passwords of online games which are stored in the system.
  • Hooks Certain API calls

These are the defaults for typical path variables. (Although they may differ, these are common examples):

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SysDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = \Program Files

Symptoms

  • Presence of files and registry entries mentioned
  • In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Method of Infection

Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or trojans to be installed on the user's system.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

 

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information:

  • MD5: F7BCF14BECAEBA74F5270C46F35759C5
  • SHA: 48B79775F828CDBB5F571A2ED562777C11AF2380
  • File Size : 30823 bytes

Aliases:

  •  Symantec - Trojan.Dropper
  •  Kaspersky - Trojan-GameThief.Win32.Magania.ckwo
  •  AVG - PSW.OnlineGames.2.AJ

    • Characteristics

    Characteristics -

    Upon execution the malware binary creates the following registry entries:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36A1DF7-6582-4160-B925-59A34E39FE30}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36A1DF7-6582-4160-B925-59A34E39FE30}\InprocServer32

    Above mentioned registry ensures that the malware binary registers with the compromised system and executes upon every boot.

    When executed the malware adds the following registry entries:

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36A1DF7-6582-4160-B925-59A34E39FE30}\]
      "InprocServer32\:" = "C:\WINDOWS\system32\EMQzJJURMfVkrkEx9GJ.inf"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36A1DF7-6582-4160-B925-59A34E39FE30}\InprocServer32\]
      "ThreadingModel:" = "Apartment"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
      "{D36A1DF7-6582-4160-B925-59A34E39FE30}:" = "" From the above mentioned registry entry the malware binary hooks itself into all running application and monitors users activity

    The malware achieves this by registering itself with "ShellExecuteHooks" which basically monitors the running processes of the system.

    Upon execution the malware binary deletes itself and drops the following files to the compromised user system:

    • %WinDir%\Downloaded Program Files\SvS2DJAqqTvtTYEU.Ttf
    • %SysDir%\EMQzJJURMfVkrkEx9GJ.inf [Detected as PWS-Mmorpg!hh]

    The following behaviors were seen with this particular version of the PWS-Mmorpg!hh:

    • Drops the above mentioned file in %SysDir%
    • Hooks itself into all running process and monitors user activity.
    • Steals passwords of online games which are stored in the system.
    • Hooks Certain API calls

    These are the defaults for typical path variables. (Although they may differ, these are common examples):

    %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SysDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = \Program Files

    Symptoms

    Symptoms -

    • Presence of files and registry entries mentioned
    • In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

    Method of Infection

    Method of Infection -

    Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or trojans to be installed on the user's system.

    Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction.

     

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A