WOW Thief: trojan-PSW.Win32.OnLineGames.v

Acquisition time :2010-6-06

Hazard rating: Medium

virus symptoms

The sample is a Trojan which was developed by “VC”. It is used “UPX” packers way in an attempt to evade signature scanning, which is the size of the shell, “60,312″ bytes, the icon for the virus ““, the extension “exe”, mainly through the “file bundle”, “downloader Download “” page linked to race “, etc., the viruses primary purpose is to steal user World of Warcraft (WOW) game account password information.
After the user’s computer was infected, the games will be out of the system without undue error for no reason, World of Warcraft game account password information is stolen and so on.

Infected objects

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Web Trojans, file bundle, download manager

Manual Solution:

1. Manually delete the following files:

X \ syslpk.dll
X \ ksuser.dll
X \ sysText.dll
% Temp% \ 53450468.DLL
% Temp% \ www.dll

Variable declaration:

% SystemDriver% partition where the operating system, typically “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user documentation directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program default installation directory, typically: “C: \ ProgramFiles”

The virus creates  files:

X \ syslpk.dll
X \ ksuser.dll
X \ sysText.dll
% Temp% \ www.dll (X for the installation path of Warcraft)
% Temp% \ 53450468.DLL (random filename)