Trojan.Win32.PSW.gz
Detect: Trojan.Win32.PSW.gz
Platform: Win32
Type: Trojan
Size: 61200 bytes
Packed:UPX
Unpacked size: 77072 bytes
Language:C++
Summary
Trojan.Win32.PSW.gz is a Trojan program designed to steal user passwords for online games and messenger clients.
Technical Details
Installation
The Trojan is installed by other malicious programs which have the capability to load the Trojan libraries to space addresses of all processes launched in the system.
Payload
Once launched, the Trojan checks the name of the original file of the process it runs in. The Trojan process is ended if the file has one of the following names:
- QQLogin.exe. It is an executable file of Tencent QQ, the most popular instant messaging software client in mainland China.
- DNF.exe. It is an executable file of Dungeon Fighter Online, online computer game.
If a file name is Wow.exe, the Trojan launches a separate thread. Wow.exe is an executable file of World Of Warcraft, an online computer game.
In the thread, the Trojan steals login and password to the services indicated above.
In addition, the Trojan steals the content of the World of Warcraft configuration file:
%WowFolder%\WTF\config.wtf
where %WowFolder% is the folder where the World of Warcraft game client is stored.
In addition, the Trojan has the capability to take snapshots of the screen and save them in the current user’s temporary folder with the «.jpg» extension.
The collected information is sent to the attacker’s server using parameters of the HTTP request.
Removal Recommendations
- Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
- Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
