Gaming meets a revived opponent: Trojan.PWS.Onlinegames.KDCI

Once on the
computer, Trojan.PWS.Onlinegames.KDCI
follows a smart and precise routine. Firstly, it makes sure that it is not affected
by a system restart by creating autorun.inf files that automatically launch
copies of itself.

Secondly, this
piece of malware chooses as locations the root of the local drives and the
temporary folder of the current user to create copies of itself. In the latter
location, it drops a .dll file able to intercept passwords related to
Maplestory, The Lord of the Rings Online, Knight Online, Dekaron and other
online games. At the system start-up, the copy is registered by a new entry
under HKCUSoftWareMicrosoftWindowsCurrentVersionRun and the original
Trojandestroys itself, leaving behind no trace of its existence.

Thirdly, the .dll
file injects itself into the memory space of the explorer.exe process where it is
being executed from, stealing passwords and creating an autorun.inf file in the
root folder of all local partitions, every two minutes in order to replicate
itself.

Please remember that online gaming
is not one of the safest medium on Internet and a security solution regularly
updated equipped with antimalware, anti-phishing and anti-spam modules might
come in handy.

Information in this article is
available courtesy of BitDefender virus
researcher Marius Vanta.