Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/PSW.OnLineGames.OUM

Aliases:Trojan-GameThief.Win32.Magania.ddct (Kaspersky) , Worm:Win32/Taterf.DL (Microsoft), W32/Taterf.B!Generic (F-Prot) 
Type of infiltration:Trojan  
Size:100352 B 
Affected platforms:Microsoft Windows 
Signature database version:5010 (20100408) 

Short description

Win32/PSW.OnLineGames.OUM is a trojan which tries to download other malware from the Internet. The trojan interferes with the operation of some security applications to avoid detection. Trojan is probably a part of other malware.

Installation

The trojan does not create any copies of itself.

The following file is dropped into the %system% folder:
  • softqq0.dll (64512 B)
The following Registry entries are created:
  • [HKEY_CLASSES_ROOTCLSID{B03A4BE6-5E5A-B9B3-483E-C484D4B20B72}]
    "VcbitExeModuleName" = "%malwarepath%"
    "VcbitDllModuleName" = "%system%softqq0.dll"
    "VcbitSobjEventName" = "CVBASDDOOPADSAMN_0"
  • [HKEY_CLASSES_ROOTCLSID{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}
    InprocServer32]
    "(Default)" = "%system%softqq0.dll"
    "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOTCLSID{B03A4BE6-5E5A-B9B3-483E-C484D4B20B72}]
    "VcbitExeModuleName" = "%malwarepath%"
    "VcbitDllModuleName" = "%system%softqq0.dll"
    "VcbitSobjEventName" = "CVBASDDOOPADSAMN_0"
  • [HKEY_CLASSES_ROOTCLSID{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}
    InprocServer32]
    "(Default)" = "%system%softqq0.dll"
    "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    ExplorerShellExecuteHooks]
    "{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}" = "hook dll rising"
  • [HKEY_CLASSES_ROOTCLSIDNOD32KVBIT]
    "KVBIT_1"
    "KVBIT_2"

Other information

The trojan interferes with the operation of some security applications to avoid detection.

The following files are modified:
  • SUpdate.exe
  • autoup.exe
  • luall.exe
  • avast.setup
  • setup.ovr
  • updater.dll
  • SUpdate.exe
  • autoup.exe
  • luall.exe
  • avast.setup
  • setup.ovr
  • updater.dll
  • eguiEpfw.dll
  • eguiEmon.dll
  • ekrnEpfw.dll
  • ekrnEmon.dll
  • prupdate.ppl
  • SfFnUp.exe
  • UfUpdUi.exe
  • preupd.exe
  • update.exe
  • vsupdate.dll
  • avgupd.exe
  • avgupd.exe
  • setup.ovr
  • avast.setup
  • VisthUpd.exe
  • %system%driversklif.sys
  • %system%driverscdaudio.sys
The trojan may create copies of the following files (source, destination):
  • %windir%notepad.exe, %windir%AhnRpta.exe
The trojan may delete the following files:
  • Update.exe
  • AYUpdate.aye
  • mcupdate.exe
The trojan may create the following files:
  • c:%variable%.vcd
A string with variable content is used instead of %variable%.

The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREESETESET SecurityCurrentVersion
    Plugins1000200Profiles@My profileUrlSetsNode_00000000]
    "Masks" = "%value%"
A string with variable content is used instead of %value%.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The trojan can download and execute a file from the Internet. The HTTP protocol is used.