#38 BitDefender weekly review

A revamped version of Trojan.PWS.OnlineGames.KCWP, about which we talked about two weeks ago, is targeting online games players again this week. The behavior is mainly the same exception making only the games it's stealing sensitive data from.


The purpose
of this malware is to steal certain MMORPG login credentials. When first
executed it will copy itself inside %temp% under the name herss.exe and drop a
*.DLL file cvasds0.dll in the same location.

The dropped
dll will be injected into explorer.exe. Once executed from that memory space it
will make another copy of herss.exe in the root folder of the system drive. The
name give to the new executable will be wcgswa.exe and will have an autorun.inf
file pointing at it in order to get executed every time the drive is accessed
with explorer.

Next it
will add herss.exe to a certain registry key in order to get executed at
startup and disable the “Show hidden files and folders” option under Folder
Options → View.

injected dll file is responsible for the password stealing and it targets the
following online games: Metin2, FlyFF, Maple Story, Age of Conan, Knight Online.


The name of
the malware already gives a hint about what it’s about. Another repackaged
rogue “anti-virus”. The name this time is “Total Security” and it behaves very

executed it copies itself to %systemdrive%Documents
and SettingsAll UsersApplication
Data[random number].exe and create
another pc[random number]ins file in the same folder. Afterwards it deletes the
original file and performs several registry changes one of which will ensure
the e-threats execution at every system startup.

fakeav detection

application will “scan” the victims computer displaying a multitude of
infections. All of them are obviously fake. In addition to the fakeav arsenal,
this version also closes every started application except internet explorer to
force the user into buying the “product”. It will display a warning message
each time it closes an application: “Application cannot be executed. The file
[application file] is infected. Please activate your antivirus software.”

fakeav warning

It also
changes the users’ background image to be easily noticeable.

fakeav bg


The purpose
of the worm is to steal sensitive information and monitor browser activity. In
order to accomplish this undetected it has the ability to disable certain
antivirus products (eg: Norton, Kaspersky, McAfee).

executed it will create another copy of itself inside the folder it is present
in. The name is kept the same with the addition of another “.exe” at the end.

Next it
will execute the new copy with the parameter: “/res > %temp%fio.bat ” and
create a *.DLL file inside %windir%system32 called fio.dll.

A driver
will be dropped in %windir%system32drivers under the name fio.sys. This
driver is responsible witch disabling the security suites, if present.

The created
fio.bat will end the applications initial execution and make serveral changes
to the system:

a new firewall exception named “fio32″,
for the process “svchost.exe”

a firewall exception for TCP port 8085

and start a new service named “fioo32″
for the “fio32.dll” file

the copy of the malware


After this
fio.bat deletes itself as well.

in this article is available courtesy of BitDefender virus researcher: Lutas
Andrei Vlad, Stefan Catalin Hanu and George Cabau