(no subject)
Aug. 2nd, 2005 06:42 amOh, how cute. A Trojan to steal World of Warcraft login information.
When PWSteal.Wowcraft is executed, it performs the following actions:
1. Copies itself as one of the following:
* %ProgramFiles%\svhost32.exe
* %ProgramFiles%\rundll32.exe
* %ProgramFiles%\Internat.exe
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
2. Creates the following file:
%System%\msdll.dll
Note: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
3. Adds the value:
"load" = "[PATH TO DROPPED FILE]"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the file runs every time Windows starts.
4. Injects msdll.dll into other running processes, including explorer.exe, so that it can monitor for passwords entered.
5. Attempts to initiate a keylogging process upon finding windows associated with "wow.exe", "Launcher.exe", "www.wowchina.com" or "signup.worldofwarcraft.com".
6. Emails the gathered online "World of Warcraft" passwords to the Trojan's author.
7. Attempts to disable processes or windows which contain the following strings, some of which may be security related:
* EGHOST.EXE
* MAILMON.EXE
* KAVPFW.EXE
* Ravmon.exe
* Ravmond.exe
* ZoneAlarm
8. Attempts to download and execute files from the Internet.
Good luck getting through step 6, kidlets.
When PWSteal.Wowcraft is executed, it performs the following actions:
1. Copies itself as one of the following:
* %ProgramFiles%\svhost32.exe
* %ProgramFiles%\rundll32.exe
* %ProgramFiles%\Internat.exe
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
2. Creates the following file:
%System%\msdll.dll
Note: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
3. Adds the value:
"load" = "[PATH TO DROPPED FILE]"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the file runs every time Windows starts.
4. Injects msdll.dll into other running processes, including explorer.exe, so that it can monitor for passwords entered.
5. Attempts to initiate a keylogging process upon finding windows associated with "wow.exe", "Launcher.exe", "www.wowchina.com" or "signup.worldofwarcraft.com".
6. Emails the gathered online "World of Warcraft" passwords to the Trojan's author.
7. Attempts to disable processes or windows which contain the following strings, some of which may be security related:
* EGHOST.EXE
* MAILMON.EXE
* KAVPFW.EXE
* Ravmon.exe
* Ravmond.exe
* ZoneAlarm
8. Attempts to download and execute files from the Internet.
Good luck getting through step 6, kidlets.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}