Malware City/Blog/

Apr
06
Filed Under:
WEEKLY REVIEW

BitDefender weekly review – Gamers take care

06 April 2009
Another wave of online games password stealing Trojans has been detected by BitDefender Labs. This time sneakier then usual, having rootkit capabilities. Adware is not left behind either. Many new versions of Trojan.Swizzor are in the wild, all detected by BitDefender under a generic signature called Trojan.Swizzor.4

Trojan.Swizzor.4

This e-threat belongs to the family of adware Trojans and the name (Trojan.Swizzor.4) describes a whole collection of malware that have the same behavior. Upon execution the Trojan will open an invisible Internet Explorer session and will inject all its code and data into the browsers memory space. After this is will create two remote threads running inside Internet Explorer.

The injected code will add a key to the Registry, which will be used to download more Trojans on the infected machine inside %temp% from various sources on the web, the main being http://host-[remove].com

It can also create desktop shortcuts linking to various malware containing websites. Names can vary from games.ink, poker.ink to internet.ink, travel.ink. These links could be added to Internet Explorer's bookmarks folder as well.

At some point the following message could be displayed:

"CiD: An important update is available to your CiD sponsor software and must
be run as administrator. Please press 'YES' to proceed. If you press 'NO'
you will be reminded again in a few hours. If instead you prefer to remove
the sponsor software, download and run this universal uninstaller:
hxxp://cidhelp.com/uninstall.exe"

Following the link will just download more swizzors on the affected computer.

 

Dropped:Trojan.Generic.1561399

This small executable is probably part of a larger scale attack. When run, it checks the Registry for the WinDefend service (belonging to Windows Defender) and will stop it if it's running. The effect, obviously is that the user will be left without Windows Defenders protection which makes the affected system more vulnerable to other attacks.

 

Trojan.PWS.Onlinegames.KBTP

Yet another online games password stealer, this time with some rootkit capabilities embedded as well. This one is targeting MapleStory, Age of Connan, Metin2 and others.

It drops a driver into %system%\drivers\klif.sys, which will be registered as a system service in order to be launched at every system startup. This file will hide all the malware related registry entries and files.

It also drops %system%\nmdfgds0.dll, which will be injected in every running process in order to steal the desired authentication information from the games.

It copies itself into C:\random_name.cmd. This file will be run automatically using an obfuscated autorun.inf file if the autorun feature is enabled. Another copy is created as %system%\olhrwef.exe.

It also tries to download other malware from the following location: http://hjyuw2.com/[removed]/help1..rar


Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad, Marius Vanta and Ovidiu Visoiu





Related

27-03-2009 | BitDefender weekly review – The marvelous Antivirus 360

20-03-2009 | Avoiding firewalls - BitDefender weekly review

13-03-2009 | Surfers, Beware – What You See is not What You Get!

06-03-2009 | Weekly Review – More online game threats

Comment on this

Name:

Email:

Website:

Your email adress will not be published.