Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/PSW.OnLineGames.NNU is a trojan that steals sensitive information. The trojan can send the information to a remote machine.
Installation
When executed, the trojan copies itself in the %temp% folder using the following filename:
  • herss.exe (118853 B)
The following file is dropped in the same folder:
  • cvasds%number%.dll (77799 B)
The variable %number% represents a randomly generated number in the range 0-9 .

Libraries with the following names are injected into all running processes:
  • %temp%\cvasds%number%.dll
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "cdoosoft" = "%temp%\herss.exe"
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue" = 0
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\Advanced]
    "Hidden" = 2
Spreading
The trojan copies itself into the root folders of fixed and/or removable drives using one of the following filenames:
  • t2hjo0.exe
  • r2g20.exe
The following file is dropped in the same folder:
  • autorun.inf
Thus, the trojan ensures it is started each time infected media is inserted into the computer.
Information stealing
The trojan collects various information related to online computer games.

The trojan gathers information related to the following processes:
  • ageofconan.exe
  • cabalmain.exe
  • client.exe
  • dekaron.exe
  • dofus.dll
The trojan is able to log keystrokes. The trojan can send the information to a remote machine. The HTTP protocol is used.
Other information
The trojan interferes with the operation of some security applications to avoid detection.

The following programs are terminated:
  • ALUSCHEDULERSVC.EXE
  • ASHDISP.EXE
  • AVGNT.EXE
  • AVGRSX.EXE
  • AVP.EXE
The trojan can download and execute a file from the Internet. The trojan contains a list of (5) URLs. It uses techniques common for rootkits.