Trojan.PWS.OnlineGames.KDLC

Bookmark and Share

SYMPTOMS:

The existence of the dsoqq.exe and dsoqq0.dll files and the autorun entry of dsoqq.exe.
Autorun files on all drives are created by the system which might be slowed down slightly.

TECHNICAL DESCRIPTION:

The private information, specifically login information for a number of
online games (see list below) was stolen by the trojan horse.

 
The malware can move itself to the location: <user's documents and settings>\Local Settings\Temp\dsoqq.exe. Through adding a value called "dso32" in the registry key
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" and set an autorun of the copy.


A'.dll' file called dsoqq0.dll was also dropped at the same location as dsoqq.exe.

Executing code will be started by the malware through the explorer.exe process (explorer.exe create the dll). Every minute will be created by explorer or so on all drives an autorun.inf file pointing to an exe with a random name (e.g. bu8.exe) which is another copy of the malware. Malware will be allowed to be distributed through removable drives


The code running in explorer will also load the .dll file created when an application is run by the user. It will use .dll to spy on the application of the user. If any online games were detected, it will wait until the user input his/her credentials and send them to the malware’s creator.
Some antihack tool which used with these games like HShield will be bypassed.

All the list of targeted games is:

  • Maple Story
  • Cabal Online
  • Metin2
  • Dungeon fighter
  • Dofus (it recognizes the game by searching for known server, NPC or items' names like: Crocoburio, Lily, Hecate, Ruliet, Vil Smisse, etc.)
  • Flyff (again, searches for keywords like Clockworks, Glaphan, Mushpoie, etc.)
  • Aion Online
  • Last Chaos
  • Knight Online
  • Silk Road Online
  • 2moons
  • Dekaron
  • Lineage 2
  • World of Warcraft
  • Seal Online.

How-to's

1. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

2. We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2  in time.

Appendix:

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm