This is yet another variant of one of the most prolific online-games password stealer malware "families" out-there.
Upon execution, the first thing it does is to create autorun.inf files pointing to copies of itself, making sure it can survive after a system restart. These files will be located on root of the local drives of an affected system.
It creates another copy of itself into the temporary folder of the current user, where it also drops a new dll file which implements all the functionality required for stealing passwords related to MapleStory, The Lord Of The Rings Online, Knight Online, Dekaron or other games.
The newly created copy will be registered for running at the system start-up by a new entry created under HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run (named cdoosoft, having the path of the file as its value). At this point, the original infected file deletes itself from the disk, removing its traces.
The .dll file from the temp folder will then be written into the memory space of the explorer.exe process and executed. The malicious code injected into explorer.exe is responsable for setting the hooks needed for stealing passwords and also for further propagation by periodical (two times a minute) creation of autorun.inf files (and of the associated executable files) in the root folder of the local partitions.
SYMPTOMS:
- presence of a hidden autorun.inf file on the root of your system partition (usually C:\autorun.inf)
- presence of a hidden executable file on the same folder location as the autorun.inf, pointed in the autorun.inf by an open statement
- presence of a hidden Dynamic Link Library file and a hidden executable file in your temporary folder (located in your [LocalSettingsFolder] , could be for example C:\Documents and Settings\username\Local Settings\Temp)
Aliases : Trojan-GameThief.Win32.Magania.crjh, Worm.Win32.AutoRun
By : Marius Vanta, virus researcher
Please let BitDefender disinfect your files. Download Free BitDefender + Serial
No comments:
Post a Comment