Home / malwarePDF  

PWS:WinNT/OnLineGames.E


First posted on 13 September 2012.
Source: Microsoft

Aliases :

PWS:WinNT/OnLineGames.E is also known as Win-Trojan/Rootkit.38144.B (AhnLab), Trojan horse Hider.QPN (AVG), TR/Rootkit.Gen (Avira), Trojan.NtRootKit.13335 (Dr.Web), Win32/PSW.OnLineGames.PZJ trojan (ESET), RootKit.Win32.KillAV.aq (Rising AV).

Explanation :



PWS:WinNT/OnLineGames.E is the rootkit component of the PWS:Win32/OnlineGames family. Its role is to hide certain files and registry keys to prevent removal from your computer.



Installation

PWS:WinNT/OnLineGames.E may have the file name "%windir%\drivers\ahnurl.sys".

It registers itself as a system service by creating the following registry entry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ahnurl
Sets value: "Type"
With data: "dword:00000001"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: "<system folder>\drivers\ahnurl.sys"
Sets value: "DisplayName"
With data: "ahnurl"

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.



Payload

Lowers system security

PWS:WinNT/OnLineGames.E terminates the following security-related processes if any of them are running in your computer:

  • alyac.aye
  • ashupd.exe
  • avastsvc.exe
  • avastui.exe
  • avp.exe
  • avsx.exe
  • ayagent.aye
  • ayagent.exe
  • ayrtsrv.aye
  • ayrtsrv.exe
  • ayservicent.aye
  • ayupdate.aye
  • ayupdsrv.aye
  • ayupdsrv.exe
  • mupdate2.exe
  • naveragent.exe
  • nsavsvc.exe
  • nsavsvc.npc
  • nsvmon.exe
  • nsvmon.npc
  • nvcagent.exe
  • nvcagent.npc
  • nvcupgrader.exe
  • nvcupgrader.npc
  • v3light.exe
  • v3lrun.exe
  • v3lsvc.exe
  • v3ltray.exe
  • v3medic.exe


Hides files and registry keys

PWS:WinNT/OnLineGames.E hides the following files, in such a way that they don't appear even if you have enabled the "Show Hidden Files/System Files" settings:

  • %windir%\olesau32.dll - detected as PWS:Win32/OnLineGames
  • %windir%\drivers\ahnurl.sys - detected as PWS:WinNT/OnLineGames.E


It also hides the following registry entry:

HKLM\SYSTEM\CurrentControlSet\Services\ahnurl

Additional information

PWS:WinNT/OnLineGames.E hooks the following APIs as part of its stealth routine:

  • ZwEnumerateKey
  • ZwEnumerateValueKey
  • ZwQueryDirectoryFile
  • ZwMapViewOfSection
  • NtMapViewOfSection




Analysis by Alden Pornasdoro

Last update 13 September 2012

 

TOP

Malware :

Family: