/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-fareast-font-family:”Times New Roman”;
mso-bidi-font-family:”Times New Roman”;
is a straightforward downloader. Once executed it will try to download a file
from a website. If downloading succeeds it will save the file as a hidden,
system file under the name “install.exe” in the same directory it has been
the downloaded file is executed, a batch file with random name is also created.
Its role is to delete the downloader after the payload has been launched.
Downloader belongs to an online games password stealer family.
packed with UPX in order to avoid detection by security products. Upon
execution it will drop a dll file in %system%, which will be injected in every
running process in order to find the desired application to steal
authentication information from, in our case, xy2.exe or xy2_ex.exe belonging
to a chineze MMORPG called “Westward Journey Online II”.
gathering account username and password, used client, server, character levels
and names as well as other data and sends it to the malware author via two
different scripts located at:
It will create
several registry keys that will load the dropped dll at every system startup.
At the end
of its execution, the malware creates a batch file which will delete the
initial executable, leaving only the dll on the system.
Information in this article is
available courtesy of BitDefender virus researchers: Lutas Andrei Vlad, Dana Stanut