Home / malware Trojan.PWS.OnlineGames.KBXS
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.PWS.OnlineGames.KBXS is also known as PWS:win32/Lolyda.AD;, Trojan-GameThief.Win32.OnLineGames.uwvj.
Explanation :
This detection stands for the dll component responsible for monitoring user's activity of an online games password stealer.
When the dropper of this file is executed it will first make a copy of %System%sfc_os.dll and name it %System%mmsfc1.dll in order to bypass windows file protection when overwriting %System%comres.dll with its malicious .dll file. The original comres.dll file will be saved under sysGTH.dll in the same folder. A copy of the malicious .dll file will be created also in %Windows%fOntS folder. This component will be loaded in every running processes and will monitor user's activity as keystrokes and mouse gestures in order to steal sensitive information related to different online games or messenger accounts. The targeted programs are: QQ Login, Dungeon and Fighter, Tenio.
The component responsible with sending the gathered information to the malware author will be dropped in %Windows%fOntS folder under GTH60366.ttf (detected as Trojan.PWS.OnlineGames.KBXJ).
The information (as username, password, server, money, goldCoin, equipment, level and others) will be sent to the following addresses:
http://www.wg210.com/mail.asp
http://www.wg210.com/mibao.asp
http://1.qq594358080.cn/kanxin/004/mail.aspLast update 21 November 2011
