Windows Security Tutorials - Herong's Tutorial Examples - v3.01, by Dr. Herong Yang
PWS-Mmorpg.gen - A Password Stealer Trojan
This section describes the PWS-Mmorpg.gen Trojan targeting online game account information.
After seeing the McAfee VirusScan log file record on PWS-Mmorpg.gen (Trojan), I searched on the Internet and got some descriptions about this type of PWS Trojan.
http://vil.nai.com/vil/content/v_142170.htm:
Aliases: PWS-Mmorpg.gen, TR/PSW.OnLineGames.DR, Trojan-PSW.Win32.OnLineGames.dr, Trojan.OnLineGames-5, Trojan.Pws.Onlinegames.DR Type: Trojan/Generic Discovery Date: 05/07/2007 Characteristics: PWS-Mmorpg is a trojan written in Borland Delphi, that attempts to steal passwords information for popular online MMORPG games. It also contains functionality to post this information to a remote website. When executed, it drops the following files in all available drives, including removable and floppy drives: .\Shell.exe --> copy of the trojan .\autorun.inf --> detected as W32/USBAgent!inf %WINDIR%\Help\ACDF4F3D0FD.exe --> copy of the trojan %WINDIR%\Help\ACDF4F3D0FD.dll --> detected as PWS-Mmorpg.gen ...
http://www.sophos.com/security/analyses/trojonlinegj.html:
Aliases: Troj/OnLineG-J, PWS-Mmorpg.gen, Trojan-PSW.Win32.OnLineGames.acz Sophos Protection: available since 27 July 2007 Category: Viruses and Spyware Type: Trojan Method of Infection: When first run Troj/OnLineG-J copies itself to %System%\dsfids6.exe and creates the file %System%\9kxk0.dll. The following registry entry is created to run dsfids6.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run daskaskfsak6 = %System%\dsfids6.exe
Apparently, these 2 Web pages were not talking about the same Trojan. But I use them to compare with what happened on my friends computer.
Table of Contents
About This Windows Security Book
Windows 8: System Security Review
Windows 8: System Security Protection
Windows 8 Defender for Real-Time Protection
Windows 7: System Security Review
Windows 7: System Security Protection
Windows 7 Forefront Client Security
Norton Power Eraser - Anti-Virus Scan Tool
McAfee Virus and Malware Protection Tools
Spybot - Spyware Blocker, Detection and Removal
Keeping IE (Internet Explorer) Secure
Malware (Adware, Spyware, Trojan, Worm, and Virus)
HijackThis - Browser Hijacker Diagnosis Tool
IE Add-on Program Listing and Removal
"Conduit Search" - Malware Detection and Removal
"Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware
Malware Manual Removal Experience
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
►PWS (Password Stealer) Trojan Infection Removal
What Is PWS (Password Stealer) Trojan?
JS/Downloader.gen - JavaScript Downloader Malware
►PWS-Mmorpg.gen - A Password Stealer Trojan
heb.exe - The Trojan Installer Program
.exe and .dll Files Installed by the Trojan
my.exe - A Second PWS Trojan Infection
.exe and .dll Files of the Second Trojan
Explorer.EXE Trying to Install a Trojan
AccessProtectionLog.txt Log File Records
ATF-Cleaner.exe - Temporary File Remover
Trajon Files Left in the System Folder
Removing PWS Trojan Startup Entries
Command Processor AutoRun - Registry Value
UserInit - Winlogon Registry Key
js.users.51.la - hosts File Entries
Image File Execution Options - Registry Key