Virus:TR/Thief.Wow.dom
Date discovered:19/12/2008
Type:Trojan
Subtype:Thief
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:102.400 Bytes
MD5 checksum:9116885e7eb017b5499471e79b1702d0
IVDF version:7.01.01.08 - Friday, December 19, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-GameThief.Win32.WOW.dom
   •  F-Secure: Trojan-GameThief.Win32.WOW.dom
   •  Sophos: Mal/GamePSW-C
   •  Grisoft: PSW.OnlineGames.BJQU
   •  Eset: Win32/PSW.WOW.DON trojan


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Steals information

 Process termination List of processes that are terminated:
   • ravmon.exe; kavpfw.exe; sphinx.exe; ccapp.exe; pfw.exe; vsmon.exe;
      avguard.exe; avconsol.exe; ashdisp.exe; vsserv.exe; navapsvc.exe;
      kvwsc.exe; ravmond.exe; kav32.exe; nod32.exe; avp.exe

Processes with one of the following strings are terminated:
   • rsing fireware; kav fire; SPHINX; FIREWARE ND; FIREWARE TW; ZoneAlarm;
      AVIRA; McAfee VirusScan; AVAST; BitDefender; Norton; Jiangming;
      Rising; DUBA; NOD32; Kaspersky Lab;


 Stealing It tries to steal the following information:

– A logging routine is started after one of the following websites are visited:
   • grunt.wowchina.com
   • kr.version.worldofwarcraft.com
   • kr.logon.worldofwarcraft.com
   • us.version.worldofwarcraft.com
   • us.logon.worldofwarcraft.com
   • tw.version.worldofwarcraft.com
   • tw.logon.worldofwarcraft.com
   • eu.version.worldofwarcraft.com
   • eu.logon.worldofwarcraft.com
   • cox.net
   • aol.com
   • comcast.net
   • live.com
   • google.com
   • yahoo.com
   • web.de

– It captures:
    • Login information

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Thomas Wegele on Tuesday, December 23, 2008
Description updated by Thomas Wegele on Tuesday, December 23, 2008

Back . . . .