Home / malware Trojan-PSW:W32/Nilage.AFZ
First posted on 05 September 2008.
Source: SecurityHomeAliases :
There are no other names known for Trojan-PSW:W32/Nilage.AFZ.
Explanation :
Trojan-PSW:W32/Nilage.AFZ attempts to steal username and password information for the Lineage MMORPG.
right]Nilage.AFZ terminates the following security related processes:
- RavMon.exe
- EGHOST.EXE
- MAILMON.EXE
- KAVPFW.EXE
- IPARMOR.EXE
- Ravmond.EXE
It also closes the window titled RavMonClass if it exists.
The trojan monitors traffic to the following URLs in order to steal username and password information:
- https://cs.lineage.co.kr/account/losePassword/losePasswordCheck.asp
- https://cs.lineage.co.kr/account/forgetPassword/forgetPasswordSub.asp
- https://cs.lineage.co.kr/account/losePassword/losePasswordForm.asp
- https://cs.lineage.co.kr/account/forgetPassword/forgetPasswordForm.asp
The stolen data is stored in c:logo.dat before it is sent to the attacker via e-mail.Last update 05 September 2008
