Home / malware Trojan.PWS.Onlinegames.ZGE
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.PWS.Onlinegames.ZGE is also known as Win32/PSW.OnLineGames.NMY(NOD32.
Explanation :
The virus is initialy an executable file, when is launched does following:
copies itself to %SYSTEM%[virus_name].exe (e.g. ckvo.exe)
drop %SYSTEM%[virus_name][N].exe (e.g. ckvo1.dll) - which is used to monitors
actions inside games executables(keystrokes)
drops %TEMP%f.dll - which contains the code for bellow mentioned actions
overwrittes: %SYSTEM%driversvga.sys and loads this driver.
In order to be launched when partitions' root folders are accesed from Explorer, the malware creates
in this locations the files autorun.inf and ffocj.com, which is a copy of the malware.
Creates [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"kamsoft"="C:\WINDOWS\system32\ckvo.exe"
and
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesKAVsys]
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"ImagePath"="\??\C:\WINDOWS\system32\drivers\vga.sys"
Exporer.exe will be injected with first DLL to hook messeges changes between target applications and system in order to steal user data
typed inside applications
Tries to download the file from following url: http://www.mgmicrosoft.com/[removed]/help1.rar
Configurations about visibilty in Explorer of hidden files will be set to "Not Show"
and any try to modify these form "Folder Options" will be overwritten. Hidden files
are still visible from other file system browsers
target applications are some online games: Silkroad Online, KnightOnline, Lineage, Cabal Online.Last update 21 November 2011
