Virus:TR/Drop.Wsgame.A
Date discovered:26/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:High
Distribution Potential:Medium to high
Damage Potential:Medium to high
Static file:Yes
File size:108.704 Bytes
MD5 checksum:071138040C52088bb16a11760F19fc9f
IVDF version:7.10.09.196 - Monday, July 26, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Artemis!071138040C52
   •  Sophos: Sus/UnkPack-C
   •  Microsoft: TrojanDropper:Win32/Frethog.K
   •  Panda: Trj/CI.A
   •  AhnLab: Trojan/Win32.OnlineGameHack
   •  DrWeb: Trojan.PWS.Wsgame.23196
   •  Ikarus: Worm.Win32.Taterf


Platforms / OS:
   • Windows 98
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops a file
   • Drops a malicious file
   • Registry modification

 Files It copies the following file:
    •  %WINDIR%\notepad.exe into %WINDIR%\%random character string%



It deletes the initially executed copy of itself.



The following file is created:

%SYSDIR%\ahnoo0.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Wsgame.A

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   ShellExecuteHooks]
   • "%CLSID%"="hook dll rising"



The following registry keys are added:

– [HKCR\CLSID\%CLSID%\InprocServer32]
   • "(Default)"="%SYSDIR%\ahnoo0.dll"
   • "ThreadingModel"="Apartment"

– [HKCR\CLSID\%CLSID%]
– [HKCR\CLSID\%CLSID%]
   • "VcbitExeModuleName"="%malware execution directory%\%executed file%"
   • "VcbitDllModuleName"="%SYSDIR%\ahnoo0.dll"
   • "VcbitSobjEventName"="CVBASDDOOPADSAMN_0"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Carlos Valero Llabata on Thursday, August 12, 2010
Description updated by Carlos Valero Llabata on Thursday, August 12, 2010

Back . . . .