Last February, our colleague Chun blogged about trojanDownloader:Win32/Chekafe.A, which checks if the system is in an Internet Cafe and if so, downloads password-stealing trojans related to MMORPG online games. Now, we look deeper into one of the downloaded trojans, which is PWS:Win32/OnLineGames.GP (example SHA1: 935c02f86ed1212237a6a78801f41eb4a43d9ade).

PWS:Win32/OnLineGames.GP, just like other password-stealing trojans, monitors certain processes related to MMORPG online games in order to steal account information, the account password, character status and gold count. From way back, we've seen the transformation of these password-stealing trojans from logging keystrokes to monitoring window names and even adding worm capabilities. Lately we have observed that aside from the abovementioned arsenal, PWS:Win32/OnLineGames.GP patches specific DLL files. What do we mean when we say patch? Patched files in this case are files to which a tiny piece of malicious code has been inserted. For the case of PWS:Win32/OnLineGames.GP, it patches a DLL file including but not limited to the following:

  • dsound.dll
  • ddraw.dll
  • d3d9.dll

The patched malicious code usually tries to execute or load the dropped components of PWS:Win32/OnLineGames.GP. The patched DLL files are detected as variants of the Virus:Win32/Patchstart or Virus:Win32/Patchload family.

Now why patch only these particular files? The answer is that these DLL files are related to DirectX. Then, why patch DirectX-related DLL files? The reason is that most online games are likely to use DirectX to render advanced graphics in the game. Since this trojan targets online games, it’s more likely that these DLL files are loaded when the game starts. In effect, this enables the password-stealing trojan to load as well. Every time the game is played the malware is also activated.

Here are the common games we’ve seen that are being targeted:

  • Aion
  • DNF
  • Lineage
  • Perfect World

These games are very popular in Asia. Looking through the geographic location of detections found from Dec 2009 to March 2010, it’s pretty similar for all the malware families we’ve mentioned:

Patchstart

 

patchload

OnlineGames.GP

Based on the geographic distribution on all 3 charts, a huge percentage of infections are found in China. For PWS:Win32/OnLineGames.GP, China and USA are most affected by the threat.

In case you suspect that you have been hacked or infected by this type of malware, we highly suggest that you change your account password immediately. You can also use our free online scanner as well as Microsoft Security Essentials at no charge to check for and remove these threats. You can also send us samples of the files if you suspect that they are malicious or have been infected.

Enjoy playing. Level up!

Elda Dimakiling and Francis Tan Seng