/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
font-family:”Times New Roman”,”serif”;}
is disguised as a Microsoft Office Word Document by having its usual executable
file icon changed, to trick users into launching it.
executed, it will drop a .DLL file in %windir%system32 with a random name
composed of 9 letters (e.g: frjacnwrm.dll). The file will be registered as a
BHO (Browser Helper Object) by making changes to specific registry values that
affect Internet Explorer’s behavior.
downloader next drops a batch file, sys.bat, that is used to delete itself.
The BHO is
used to monitor the users browsing behavior and the gathered data is sent to a
domain similar to: http://[removed]idbredov.ru
this password stealer will perform the following operations:
itself under the name herss,exe inside %temp%
a file called cvasds0.dll inside %temp%
changes to the registry in order for the copy to get executed at every system
“installation”, the Trojan will inject the dropped DLL file into every running
process and make other copies of itself inside the root folder of every
removable drive. These copies are named bychft.exe and are pointed to by an
autorun.inf file which will ensure their execution each time the drive is
accessed, if the Windows’ autorun feature is enabled.
injected DLL is responsible of the password stealing. It will check the
processes of MapleStory, AgeOfConan, The Lord of the Rings Online, Knight
Online, Metin 2 and FlyFF. If valid login data was submitted inside any of
these games the Trojan will send these to a large number of compromised
computers which it keeps as a list of hardcoded IP addresses.
in this article is available courtesy of BitDefender virus researcher: Dana
Stanut and Lutas Andrei Vlad