Encyclopedia entry
Updated: Apr 17, 2011 | Published: Oct 07, 2009
Aliases
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Updated: Apr 17, 2011 | Published: Oct 07, 2009
Aliases
-
Trojan-GameThief.Win32.Magania.cfef (Kaspersky)
- W32/OnLineGames.KWIF (Norman)
- Trojan.PWS.Magania.VIE (VirusBuster)
- Win32/PSW.OnLineGames.NTR (ESET)
- Infostealer.Gampass (Symantec)
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
| Detection last updated: Definition: 1.121.1275.0 Released: Mar 10, 2012 | Detection initially created: Definition: 1.51.360.0 Released: Feb 06, 2009 |
Summary
PWS:Win32/OnLineGames.BX is a detection for a trojan that steals account information for certain online games and instant messaging applications. It logs the stolen account information by intercepting network traffic and monitoring specific APIs. It then sends the stolen information to a remote server.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Technical Information (Analysis)
PWS:Win32/OnLineGames.BX is a detection for a trojan that steals account information for certain online games and instant messaging applications. It logs the stolen account information by intercepting network traffic and monitoring specific APIs. It then sends the stolen information to a remote server.
Installation
PWS:Win32/OnLineGames.BX may be dropped and installed by other malware, for example, PWS:Win32/OnLineGames.BX.dr.
Payload
Steals Account Information
PWS:Win32/OnLineGames.BX is loaded when applications try to use the Windows Socket functions. It attempts to intercept network connections, and receive, send, and close operations if the process name is any of the following:
AClient.exe
client.exe
ElementClient.exe
Game.bin
Game.exe
Lin.bin
MapleStory.exe
Ragexe.exe
RagFree.exe
Ragnarok.exe
ZodiacOnline.exe
client.exe
ElementClient.exe
Game.bin
Game.exe
Lin.bin
MapleStory.exe
Ragexe.exe
RagFree.exe
Ragnarok.exe
ZodiacOnline.exe
Most of these processes are associated with online games.
PWS:Win32/OnLineGames.BX tries to intercept the 'CryptEncrypt' and 'CryptDecrypt' APIs and network connection operations if the process name is any of the following:
_BeanFunCore.exe
iexplore.exe
msnmsgr.exe
YahooMessenger.exe
iexplore.exe
msnmsgr.exe
YahooMessenger.exe
Most of these processes are associated with instant messaging and other online applications.
It then filters the intercepted network traffic to log information, including the following:
- Account name
- Password
- Login server
PWS:Win32/OnLineGames.BX then sends the logged information to a remote server. One remote server it has been observed to send information to is'ccaatt.com'.
Analysis by Shawn Wang
Žádné komentáře:
Okomentovat