Virus:TR/Onlinegames.B
Date discovered:19/05/2008
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:No
File size:~100.000 Bytes
IVDF version:7.00.04.63 - Tuesday, May 20, 2008

 General Method of propagation:
   • Mapped network drives


Aliases:
   •  Mcafee: PWS-LegMir.gen.k
   •  Kaspersky: Trojan-PSW.Win32.OnLineGames.ngm
   •  F-Secure: Trojan-PSW.Win32.OnLineGames.ngm
   •  Grisoft: Worm/AutoRun.Y
   •  Eset: Win32/PSW.OnLineGames.NLI
   •  Bitdefender: Trojan.PWS.OnlineGames.WME

Similar detection:
   •  TR/Onlinegames.B.%number%


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\amvo.exe



It drops a copy of itself using a filename from a list:
– To: %drive%\ Using one of the following names:
   • %random character string%.exe
   • %random character string%.bat
   • %random character string%.cmd
   • %random character string%.com




The following files are created:

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\%random character string%.sys
   • %TEMPDIR%\%random character string%.dll

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\%random character string%.sys Further investigation pointed out that this file is malware, too. Detected as: RKIT/Vanti

%TEMPDIR%\%random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.NSPM.Gen

%SYSDIR%\amvo0.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.NSPM.Gen

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • amva = %SYSDIR%\amvo.exe



The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • Hidden = %user defined settings%
   • ShowSuperHidden = %user defined settings%
   New value:
   • Hidden = 2
   • ShowSuperHidden = 0

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Old value:
   • CheckedValue = %user defined settings%
   New value:
   • CheckedValue = 0

 Stealing It tries to steal the following information:

– Passwords from the following programs:
   • Maple Story
   • Lineage

 Injection –  It injects the following file into a process: %SYSDIR%\amvo0.dll

    Process name:
   • explorer.exe

   If successful, the malware process terminates while the injected part remains active.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Friday, June 13, 2008
Description updated by Andrei Gherman on Friday, June 13, 2008

Back . . . .