Trojan-PSW.Win32.OnLineGames.oz

tag:Password-stealing Trojans

This Trojan is designed to steal online gaming passwords.

When launching, the Trojan writes code to the explorer.exe process by linking LgSy0.dll (or Kavs0.dll - the name of the file may vary in different versions of the Trojan) in order to gain unhindered access to the Internet.

The Trojan harvests the names of gaming servers, player passwords, PIN number and other information. All data relates to a specific well known online game.

The Trojan will sent the harvested data via HTTP to the remote malicious user's server.

In order to protect itself from firewalls and antivirus solutions the Trojan checks for the following processes in memory:

RavMon.exe
Twister.exe
FileMsg.exe
trojankiller.exe

It also searches the system for windows of the following classes:

AVP.AlertDialog

It will emulate a mouse click on the following buttons in these windows:

"Razreshit'" [Russian for 'Allow']

It will close windows of the class "AVP.Product_Notification".

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the Trojan process.
Delete the Trojan files:
```
Winlog0n.exe
LgSy0.dll
Kavs0.dll
```

Delete the following parameters from the system registry (see What is a system registry and how do I use it for details on how to edit the registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "

This Trojan is designed to steal confidential data. It is a Windows PE EXE file. It is 52,734 bytes in size. It is packed using UPX. The unpacked file is approximately 106 KB in size. It is written in Visual C .

Installation

When launching, the Trojan drops the following files to the Windows temporary directory (%Temp%):

Winlog0n.exe (18,944 bytes in size);
LgSy0.dll or Kavs0.dll (28,551 bytes in size).

It also adds the following value to the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<random symbols>" = "%Temp%\winlog0n.exe"

This ensures that the Trojan will be launched each time Windows is booted on the victim machine.

Payload

previous:Trojan-PSW.Win32.Nilage.a
previous:Trojan-PSW.Win32.OnLineGames.lfi

Virus Source from:

New articles

Trojan.PWS.Agent.SGD The malware drops the following files:1) %windir%\system32\hbqqxx.dll- this .dll will be injected in all the running processes and it will try to steal sensitiv...Trojan.PWS.OnlineGames.AABK First of all, the malware deletes the copies of%windir%system32\rpcss.dll (a Windows file) from%windir%\system32\dllcache\rpcss.dlland%windir%\servicepackfiles\...Trojan.PWS.Tupai.ANormal0falsefalsefalseMicrosoftInternetExplorer4st1\:*{behavior:url(#ieooui) }/* Style Definitions */table.MsoNormalTable {mso-style-name:"Table Normal"; mso-ts...Trojan.PWS.Lmir.UMHWhen launched, the trojan drops in %windir%\system32 folder a DLL file having the name derived form an existing DLL from same folder (e.g. rasmanqn3.dll, mdimap...Trojan.PWS.OnlineGames.ZKHThis malware is used to steal user information from online games as qqlogin.exe hx2game.exe and others. The dll file will be injected in every running process. ...

Hot Articles

Trojan-PSW.Win32.OnLineGames.oz

Computer Virus Clounds