Home / malware Trojan.PWS.OnlineGames.KDAT
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.PWS.OnlineGames.KDAT.
Explanation :
This is another "classic" online-games password stealer, that shares most of its behavior with the rest of its familly. The following will be performed by this malware upon execution:
- make a fresh copy of itself inside %temp% folder, as herss.exe
- drop its dll component, inside %temp% folder, as cvasds0.dll
- register itself at startup, by adding the registry value:
SoftWareMicrosoftWindowsCurrentVersionRuncdoosoft, which will point to %temp%herss.exe
- inject the dropped dll (cvasds0.dll) inside running processes.
The DLL is responsabile for making the actual "stealing". After being injected in all running processes, it will create a new copy of the trojan inside the root directory of C: drive, as 0qw6vege.exe, and an autorun.inf file, which will point to 0qw6vege.exe.
It will set HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALLChecked value to 0, disabling the option of checking "Show hidden files and folders" under Folder Options -> View.
The trojan will also try to bypass GameGuard and HShield protection - software commonly used to prevent cheating or
password stealing.
It will steal sensitive data related to the following online games:
MapleStory, AgeOfConan, The Lord of the Rings Online, Knight Online, Metin 2, FlyFF.Last update 21 November 2011
