Trojan-GameThief.Win32.OnLineGames.xfck

Technical Details

This Trojan belongs to the family of Trojans that steals passwords from online gaming user account records. It is a Windows application (PE DLL file). It is 36 865 bytes in size. It is written in C++.

Payload

This Trojan library is designed to steal passwords from user accounts for the game "World of Warcraft". To do so, the library is injected into the address space of the process "wow.exe", after which a window with the class name "GxWindowClassD3d" and the heading "World of Warcraft" appears in the system. From this window, it steals the information that the user enters to access the online game. The information collected is passed in the form of settings to the following URL:

http://w.per***exe.com:888/houmen/wow.asp

The library exports a function named "AR", which when called up creates the system registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"dnheds" = "RUNDLL32.EXE <full path to original Trojan file>,w"

Thereby, each time the system starts, the system utility "RUNDLL32.EXE" will call up the function named "w" from the Trojan library.


When the exported function "w" is called up, it carries out the following actions:

  • The body of the Trojan is copied to the file:
    <Path>\msvcr70.dll

    The value of the substring "<Path>" is read from the system registry key:
    [HKLM\Software\Blizzard Entertainment\World of Warcraft]
    "GamePath"
    

  • In the file
    <Path>\wow.exe

    a section named ".ngaut" is written, which contains code to inject the library "<Path>\msvcr70.dll" into the address space of this process. Thus, the entry point of "wow.exe" changes and points to the code in the written section.
  • A hook procedure is implemented, allowing the malware to track messages in the system queue.
  • The following system registry key is created:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "dnheds" = "RUNDLL32.EXE <full path to original Trojan file>,w"
    

Removal Instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Terminate the process "wow.exe".
  2. Restore the original content of the file:
    <Path>\wow.exe

  3. Delete the following files:
    <Path>\msvcr70.dll

  4. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  5. Delete the following system registry key (see What is a system registry and how do I use it?):
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "dnheds" = "RUNDLL32.EXE <full path to original Trojan file>,w"
    

  6. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).