Trojan.Win32.PSWIGames.95768
| Aliases | |||
|---|---|---|---|
| Typical Symptoms | |||
| Discovered | [korea] 0000-00-00 [Foreign] 0000-00-00 |
||
| Type | Virus | ActiveField | Win32 |
| Destory/Distribution |   |
||
| Origin | others | Encryption | NO |
| Location | Macro | Memory residence | NO |
| Scan engine needed |
2011-8-17 [Able to detect & repair]
|
||
A. Route of InfectionTrojan.Win32.PSWIGames.95768 does not spread out as itself, and it is downloaded from hacked site or other malicious codes such as Spy/Adware, dropper, and etc. B. Symptom of Infection1) (System Folder)\ws2help.dll file is replaced to malicious code by Dropper. The original ws2help.dll file is renamed to ws3help.dll, and malicious ws2help.dll file is inserted instead. 2) It has all basic code of ws2help.dll, and the function that redirects to original ws2help.dll file does not exist.
[PIC 1] Trojan.Win32.PSWIGames.95768.vir's IAT
3) There is a code that extends its lifetime by itself.
[PIC 2] Code to extend its lifetime
4) This code seems to be for stealing online game accounts such as FIFA Online, Maplestory, and etc.
[PIC 3] String value for stealing game account
|
[How to repair] Reparable by ViRobot engine ver.2011-08-17.01 or above.
|
