Home / malware Trojan.PWS.OnlineGames.AABK
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.PWS.OnlineGames.AABK is also known as Trojan-GameThief.Win32.OnLineGames.toyp, Trj/Lineage.JZV, TROJ_ZLOB.BCK, PWS-Mmorpg.gen, Spy/OnLineGames.
Explanation :
First of all, the malware deletes the copies of %windir%system32
pcss.dll (a Windows file) from
%windir%system32dllcache
pcss.dll and
%windir%servicepackfilesi386
pcss.dll in order to avoid the possibility of the operating system to restore this file.
However, a copy of the original rpcss.dll will be held in %windir%system32srpcss.dll which will be loaded and will be used whenever the functions from this .dll are needed.
Afterwards, the malware will overwrite the legitimate file %windir%system32
pcss.dll with a .dll contained in its body, a .dll also dropped to %windir%system32gdipro.dll.
At this point, %windir%system32
pcss.dll will contain undesired code that will be loaded at every system startup, as it is used (and loaded) by the svchost.exe process.
Rpcss.dll has the same exported functions as sprcss.dll, in each of them redirecting the execution to the corresponding function from srpcss.dll. The main negative action is performed at load time and it is the creation of a remote thread in csrss.exe (or explorer.exe) that will execute code from %windir%system32sys05020.dll, another file dropped by the malware.
This sys05020.dll will try to collect sensitive data sent while connecting to some online-gaming sites or to block access to other such sites.
After all the above malware files were dropped and run/loaded, the original trojan will be deleted.Last update 21 November 2011
