Malware City/Blog/

Apr
10
Filed Under:
WEEKLY REVIEW

BitDefender weekly review – Gamers take even more care

10 April 2009
Do you play MapleStory, Age Of Conan, Rohan, The Lord OF The Rings, Knight Online or Lands Of Aden? If so, take great care, another e-threat is out there lurking to snatch you login credential to these games.

Trojan.Downloader.FakeAV.BD

This small Trojan is probably used by malware writers to spread rogue security software and other e-threats like those. It is possibly downloaded by other malware or sent out through spam emails.

It resides in %system% with a random filename.

It tries to redirect its victims to another website by adding the following lines to the hosts file:

82.98.xxx.xx browser-security.microsoft.com
82.98.xxx.xx [xxx]-click-scanner.info
82.98.xxx.xx [xxx]virus-xp-pro-2009.com
82.98.xxx.xx microsoft.infosecuritycenter.com
82.98.xxx.xx microsoft.softwaresecurityhelp.com
82.98.xxx.xx [xxx]nenotifyq.net
82.98.xxx.xx [xxx]virusxp-pro-2009.com
82.98.xxx.xx microsoft.browser-security-center.com

We suspect this is another website for spreading the fake antivirus. It is also trying to connect to a hardcoded URL in order to download its payload:

http://85.12.xx.xx/go/?cmp=hstwtch&ver=XXX&d=XXX

 

 

Trojan.PWS.OnlineGames.KBVT

Another online games password stealer, this time however it fights security products in order to stay undetected.

After execution, it creates a hidden copy of itself in %system% under the name olhrwef.exe and will create a registry key to be executed at boot time.

Then it will drop the password stealing component. Found in %system% as well, by the name nmdfgds0.dll or nmdfgds1.dll. This DLL file monitors mouse gestures and keystrokes. It is targeting well known titles like: MapleStory, Age Of Conan, Rohan, The Lord OF The Rings, Knight Online, Lands Of Aden and others.

In order to further spread, the malware creates a hidden autorun.inf file on each removable drive (including usb sticks) which points to another copy of itself residing in %drive_letter%\1ogf.exe.

To fight malware and protect itself, this Trojan installs a driver file, which will be registered as a system service and started at each boot automatically. The file is called klif.sys and it resides in %system% along with another DLL file, ANTIVM.dll, which will be used to disable the update capability of different antivirus software or to stop processes that may be used to monitor running programs behavior (a technology often used by antivirus products to proactively detect malware).

It also adds some registry keys so that the user will not be able to see hidden files and folders in explorer.

Further it will download a file from http://[removed]uw2..com/xmfx/ called help1.rar but sadly it was unavailable at the time this paper was made so we don't really know what it is.

Information in this article is available courtesy of BitDefender virus researchers: Stefan Catalin Hanu and Dana Stanut





Related

06-04-2009 | BitDefender weekly review – Gamers take care

27-03-2009 | BitDefender weekly review – The marvelous Antivirus 360

20-03-2009 | Avoiding firewalls - BitDefender weekly review

13-03-2009 | Surfers, Beware – What You See is not What You Get!

Comments:

Petit said on Apr-11-2009 09:28

Some gamer like to turn off antivirus protection and other security apps vefore play games. But I think it's a stupid idea. This kind of gamer they used computer to play games only and have a bad skill for using computer.

Mac said on Apr-22-2009 15:57

Fortunately, the new BitDefender solutions are not so much resources consumers. If these gamers would know this, maybe their life would be more easier :)
Thanks to the author for these info! Keep going!

computers from warehouse said on Apr-12-2011 04:46

It's always amazing reading or commenting on a blog from which we get a full knowledge. Same as here I have found some really interesting information which is simply a great boost to my knowledge.

Comment on this

Name:

Email:

Website:

Your email adress will not be published.