Home>Trojan Programs>PSW Trojans>

Trojan.PWS.OnlineGames.AABK

Alert Level :	medium
Discovered:	2008Oct21
Tag:	Trojan   PWS
Discoverer and Source:	http://www.bitdefender.com/

Malware Behavior and Technical Description

If you have the following files on your computer, you are infected:

%windir%\system32\srpcss.dll
%windir%\system32\sys05020.add
%windir%\system32\sys05020.dll (size 24,5KB)
%windir%\system32\gdipro.dll (size 35,5KB)

where %windir% denotes C:\Windows or C:\WINNT, depending on the operating system

First of all, the malware deletes the copies of %windir%system32\rpcss.dll (a Windows file) from
%windir%\system32\dllcache\rpcss.dll and
%windir%\servicepackfiles\i386\rpcss.dll in order to avoid the possibility of the operating system to restore this file.
However, a copy of the original rpcss.dll will be held in %windir%\system32\srpcss.dll which will be loaded and will be used whenever the functions from this .dll are needed.
Afterwards, the malware will overwrite the legitimate file %windir%\system32\rpcss.dll with a .dll contained in its body, a .dll also dropped to %windir%\system32\gdipro.dll.

At this point, %windir%\system32\rpcss.dll will contain undesired code that will be loaded at every system startup, as it is used (and loaded) by the svchost.exe process.
Rpcss.dll has the same exported functions as sprcss.dll, in each of them redirecting the execution to the corresponding function from srpcss.dll. The main negative action is performed at load time and it is the creation of a remote thread in csrss.exe (or explorer.exe) that will execute code from %windir%\system32\sys05020.dll, another file dropped by the malware.

This sys05020.dll will try to collect sensitive data sent while connecting to some online-gaming sites or to block access to other such sites.

After all the above malware files were dropped and run/loaded, the original trojan will be deleted.

Removal Trojan.PWS.OnlineGames.AABK instructions:

- Restore the original rpcss.dll by renaming %windir%\system32\srpcss.dll to %windir%\system32\rpcss.dll and delete the other malware files (%windir%\system32\sys05020.add, %windir%\system32\sys05020.dll, %windir%\system32\gdipro.dll)
or
- Let BitDefender delete the infected files and rename %windir%\system32\srpcss.dll to %windir%\system32\rpcss.dll.

Need help? Live computer support via remote at SupportSpace.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!

Great Anti-Virus Software : Kaspersky Internet Security 2009 Save 35% Buy Panda Global Protection 2009 and Panda Antiviru Download PandaLabs Reports Free AVG virus removel tools Hunting Down Spyware and Adware Adware and spyware, knowing the basics Adware Spyware Remover from CBAdvance Keeping Your Computer in Good Condition Using Free Spyware A Beware of Covert Online Spies Why the Need to Remove Adware and Spyware