Gaming meets a revived opponent: Trojan.PWS.Onlinegames.KDCI

Online game players are once again the target of malicious software which steals game passwords.

Once on the
computer, Trojan.PWS.Onlinegames.KDCI
follows a smart and precise routine. Firstly, it makes sure that it is not affected
by a system restart by creating autorun.inf files that automatically launch
copies of itself.

Secondly, this
piece of malware chooses as locations the root of the local drives and the
temporary folder of the current user to create copies of itself. In the latter
location, it drops a .dll file able to intercept passwords related to
Maplestory, The Lord of the Rings Online, Knight Online, Dekaron and other
online games. At the system start-up, the copy is registered by a new entry
under HKCUSoftWareMicrosoftWindowsCurrentVersionRun and the original
Trojandestroys itself, leaving behind no trace of its existence.

Thirdly, the .dll
file injects itself into the memory space of the explorer.exe process where it is
being executed from, stealing passwords and creating an autorun.inf file in the
root folder of all local partitions, every two minutes in order to replicate

Please remember that online gaming
is not one of the safest medium on Internet and a security solution regularly
updated equipped with antimalware, anti-phishing and anti-spam modules might
come in handy.

Information in this article is
available courtesy of BitDefender virus
researcher Marius Vanta.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.