[Malware Review] Trojan.KillAV.RS Steals Gamers’ Login Credentials

Trojan.KillAV.RSfirst stops and deletes Microsoft®'s cryptographic service (cryptsvc) so that the affected system will no longer be able to verify files’ digital signatures or integrity. Moreover, Windows Update and Windows File Protection will also stop working without this service.

The Trojan then saves the original %SysDir%\ksuser.dll to %SysDir%\sksuser.dll and copies its own .dll file to %SysDir%\ksuser.dll. This will cause%SysDir%\ksuser.dll to increase from 4096 to 8480 bytes.
    
Once the malicious instruments are ready, Trojan.KillAV.RS will search for game installation directories on every FAT32 or NTFS partition. In addition to that, all running processes will be scanned in order to identify all game.exe instances. Trojan.KillAV.RS will enumerate the content of registry key - SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths in order to spot entries containing the game.exe string. The Trojan will delete itself after the next reboot.

Trojan.KillAV.RSwill drop its malicious ksuser.dll file in all the directories that were found during the scanning process in order for it to be loaded each time a game is initialized. The 288 bytes overlay of the infected ksuser.dll file contains two encrypted links - http://003[removed].cn/zhu/post.asp and http://003[removed].cn/008/post.asp.

Trojan.KillAV.RS’s mission is to gather login credentials such as usernames or passwords related to certain games and send them to specific URLs such as those listed above. Apart from login information, this Trojan will also take screenshots of the infected system’s desktop, Internet Explorer®, Windows® Picture® or Fax Viewer®.

The technical information in this article is available courtesy of BitDefender virus researcher Andrea Takacs.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.