Počet zobrazení stránky

středa 4. dubna 2012

Trojan-GameThief.Win32.OnLineGames.blyk


Technical Details

This Trojan belongs to the family of Trojans that steals passwords from online gaming user accounts. It is a Windows application (PE EXE file). It is 16 672 bytes in size. It is packed using UPX. The unpacked file is approximately 293 KB in size. It is written in C++.

Payload

Once launched, the Trojan performs the following actions:
  • For the following files:
    %System%\sfc_os.dll
%System%\rundll32.exe
    the Trojan creates copies, which it saves under the following names respectively:
    %System%\mmsfc1.dll
%System%\GTH78380.exe
  • A function in the "mmsfc1.dll" library disables protection for the "ComRes.dll" file in the Windows system directory.
  • It moves the file:
    %System%\ComRes.dll
    into the file called:
    %System%\sysGTH.dll
  • It extracts the following files from its body:
    %WinDir%\fonts\comres1.ttf
    This file is 165 888 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.blyj.
    %WinDir%\fOntS\GTH78380.ttf
    This file is 35 328 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.vcpl.
    %WinDir%\fOntS\GTH78380.fon
    This file is 1312 bytes in size.
    %System%\ComRes.dll
    This file is 165 888 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.blyj.
  • It terminates the following process:
    elementclient.exe
  • It launches the following command:
    %System%\GTH78380.exe %WinDir%\fOnTs\comres1.ttf dns <path_to_original_body_of_trojan<
which in turn launches the file "comres1.ttf" and calls a function called "dns", which passes the path to the original body of the Trojan as a parameter.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Delete the following files:
    %System%\mmsfc1.dll
%System%\GTH78380.exe
%System%\ComRes.dll
%WinDir%\fOntS\ComRes1.ttf
%WinDir%\fOntS\GTH78380.ttf
%WinDir%\fOntS\GTH78380.fon
  4. Rename the file:
    %System%\sysGTH.dll
    in the file:
    %System%\ComRes.dll
Vystavil v
Štítky:

Žádné komentáře:

Okomentovat

Přihlásit se k odběru: Komentáře k příspěvku (Atom)