Trojan-PSW.Win32.WOW.a

This Trojan is designed to steal passwords to the following online games:

• World of Warcraft
• Legend of Mir

When the pages listed below are opened, the Trojan will harvest account information:

http://us.logon.worldofwarcraft.com
http://eu.logon.worldofwarcraft.com

The Trojan also attempts to terminate processes if the process names contain the substrings listed below:

VMON.EXE
TROJDIE
KPOP
ENTER
SSISTSE
KPFW
AGENTSVR
KV
KREG
IEFIND
IPARMOR
SVI.EXE
UPHC
RULEWIZE
FYGT
RFWSRV
RFWMA

The Trojan attempts to read information in the files listed below (if they are present on the victim machine):

data\woool88.dat
data\woool88.dat.update
data\woool.dat
data\woool.dat.update
data\game.ini
config.ini
realmlist.wtf 
mir.ini
mirsetup.ini
update.ini

The Trojan sends harvested data to the remote malicious user via HTTP:

http://new.***soft.com.cn/upd/wow.htm?crc=

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the worm process (the process may be called "smss.exe").
2. Delete the following parameters from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "TProgram" = "%WinDir%\smss.exe"
   
   [HKLM\Software\Clients\StartMenuInternet\inexplore.pif]
   
   [HKCR\Software\Microsoft\Internet Explorer\Main]
   "Check_Associations" = "No"

   Revert the following registry key values:

   [HKCR\Applications\iexplore.exe\shell\open\command]
   ""%Program Files%\Internet Explorer\inexplore.com" %1"

   to

   [HKCR\Applications\iexplore.exe\shell\open\command]
   ""%Program Files%\Internet Explorer\iexplore.exe" %1"

   ---

   [HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
   ""%Program Files%\Internet Explorer\inexplore.com""

   to

   [HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
   ""%Program Files%\Internet Explorer\iexplore.exe""

   ---

   [HKCR\Drive\shell\find\command]
   "%WinDir%\EXP10RER.com"

   to

   [HKCR\Drive\shell\find\command]
   "%WinDir%\Explorer.exe"

   ---

   [HKCR\ftp\shell\open\command]
   ""%Program Files%\Internet Explorer\inexplore.com" %1"

   to

   [HKCR\ftp\shell\open\command]
   ""%Program Files%\Internet Explorer\iexplore.exe" %1"

   ---

   [HKCR\htmlfile\shell\open\command]
   ""%Program Files%\Internet Explorer\inexplore.com" -nohome"

   to

   [HKCR\htmlfile\shell\open\command]
   ""%Program Files%\Internet Explorer\iexplore.exe" -nohome"

   ---

   [HKCR\htmlfile\shell\opennew\command]
   ""%Program Files%\common~1\inexplore.pif" %1"

   to

   [HKCR\htmlfile\shell\opennew\command]
   ""%Program Files%\Internet Explorer\iexplore.exe " %1"

   ---

   [HKCR\HTTP\shell\open\command]
   ""%Program Files%\common~1\inexplore.pif" -nohome"

   to

   [HKCR\HTTP\shell\open\command]
   ""%Program Files%\Internet Explorer\iexplore.exe" -nohome"

   ---

   [HKLM\Software\Clients\StartMenuInternet]
   "inexplore.pif"

   to

   [HKLM\Software\Clients\StartMenuInternet]
   "IEXPLORE.EXE"

3. Delete the following files:

   %Program Files%\Common Files\inexplore.pif
   %Program Files%\Internet Explorer\inexplore.com
   %System%\command.pif
   %System%\dxdiag.com
   %System%\msconfig.com
   %System%\regedit.com
   %System%\rund1132.com
   %WinDir%\1.com
   %WinDir%\EXP1ORER.com
   %WinDir%\finders.com
   %WinDir%\smss.exe
   %WinDir%\Debug\DebugProgram.exe
   D:\command.com
   D:\pagefile.pif
   D:\autorun.inf

4. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

This Trojan is designed to steal confidential data. It is a Windows PE EXE file. The size of infected files may vary from 37KB to 79KB. This Trojan is written in Visual Basic.

Installation

When launching, the Trojan creates several copies of its executable file:

%Program Files%\Common Files\inexplore.pif
%Program Files%\Internet Explorer\inexplore.com
%System%\command.pif
%System%\dxdiag.com
%System%\msconfig.com
%System%\regedit.com
%System%\rund1132.com
%WinDir%\1.com
%WinDir%\EXP1ORER.com
%WinDir%\finders.com
%WinDir%\smss.exe
%WinDir%\Debug\DebugProgram.exe

The Trojan also copies its executable file to the D: root directory.

D:\command.com
D:\pagefile.pif

It also creates a file called "autorun.inf". When the partition is opened using Windows Explorer, the Trojan's executable file will be launched.

D:\autorun.inf

The Trojan modifies the following system registry keys in order to ensure that it will launched automatically:

[HKCR\Applications\iexplore.exe\shell\open\command]
""%Program Files%\Internet Explorer\inexplore.com" %1"

[HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
""%Program Files%\Internet Explorer\inexplore.com""

[HKCR\Drive\shell\find\command]
"%WinDir%\EXP10RER.com"

[HKCR\ftp\shell\open\command]
""%Program Files%\Internet Explorer\inexplore.com" %1"

[HKCR\htmlfile\shell\open\command]
""%Program Files%\Internet Explorer\inexplore.com" -nohome"

[HKCR\htmlfile\shell\opennew\command]
""%Program Files%\common~1\inexplore.pif" %1"

[HKCR\HTTP\shell\open\command]
""%Program Files%\common~1\inexplore.pif" -nohome"

[HKCR\Software\Microsoft\Internet Explorer\Main]
"Check_Associations" = "No"

[HKLM\Software\Clients\StartMenuInternet]
"inexplore.pif"

[HKLM\Software\Clients\StartMenuInternet\inexplore.pif]

It also adds the following values to the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"TProgram" = "%WinDir%\smss.exe"

This ensures that the Trojan will be launched each time Windows is booted on the victim machine.

Payload