ThreatExpert Report: Infostealer.Lineage, Trojan-GameThief.Win32.OnLineGames.bx, New Malware.ey..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 11 September 2008, 16:27:09
Processing time: 5 min 35 sec
Submitted sample:

File MD5: 0xBFB94DA559CF271ACDF810427C04A111
File SHA-1: 0x0797546A47973D5084F158D20118E68181A66CC3
Filesize: 53,352 bytes
Alias:

Infostealer.Lineage [Symantec]
Trojan-GameThief.Win32.OnLineGames.bx [Kaspersky Lab]
New Malware.ey [McAfee]
Mal/EncPk-BW, Mal/Behav-160, Mal/Emogen-E [Sophos]
PWS:Win32/OnLineGames [Microsoft]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-PWS.OnlineGames.LP	Trojan.PSW.OnlineGames.LP attempts to steal password information from the following Massively Multiplayer Online Role Playing Game - MapleStory, Lineage and Kingdom of the Winds. The stolen information is then sent to the attacker. This threat uses rootkit to hide its existence.
Trojan-PWS.Hangame	Trojan.PSW.Hangame is a trojan which records keystrokes when the user access to www.hangame.com and steals login information.
Trojan-PWS.Lineage	Trojan.PWSteal.Lineage is a group of password stealing Trojans that attempt to steal passwords associated with the game called "Lineage" or "Lineage II", and send it to the creator of the Trojan.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A program that downloads files to the local computer that may represent security risk

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\Ole5.tmp %Temp%\Ole7.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%Temp%\sp.dat	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
3	%Temp%\uboot.dll	45,056 bytes	MD5: 0x994377C1ACC9E15404D13B34891200EF SHA-1: 0x5EDFAD271B8D8B00D5E6092D806CF94E2F2E67A3	Trojan-PWS.OnlineGames.LP [PCTools] Infostealer.Lineage [Symantec] Trojan-PSW.Win32.OnLineGames.lp [Kaspersky Lab] PWS-Lineage.dll [McAfee] TSPY_ONLINEG.CK [Trend Micro] Mal/Generic-A [Sophos] PWS:Win32/Lineage.WA [Microsoft]
4	%Windir%\ntkros.dll	13,312 bytes	MD5: 0x5E8B3336C9ECD42CBFCAD6BA829D32E3 SHA-1: 0x8BDABE99EEA35550D5B46C367A2A06334C45D337	Trojan-PWS.Hangame [PCTools] Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.OnLineGames.bx [Kaspersky Lab] Mal_OLGM-2 [Trend Micro] Mal/Behav-160, Mal/Emogen-E [Sophos]
5	%Windir%\ntsock.exe	6,656 bytes	MD5: 0x473754166051CFE916FF82922A9AC87F SHA-1: 0xE39C1F577C9C79A63DACA98C9508A690E45BE769	Infostealer.Lineage [Symantec] Trojan-GameThief.Win32.OnLineGames.dl [Kaspersky Lab] PWS-Mmorpg.gen [McAfee] TROJ_OLGM.A [Trend Micro] Mal/Behav-160 [Sophos]
6	%Windir%\ntsocks.dll	11,776 bytes	MD5: 0x6B073CF3B5E712C6A74AA4C6C14964A6 SHA-1: 0x466DD0C32A2863632BE43789EB5070397A499A5D	Infostealer.Lineage [Symantec] Trojan-GameThief.Win32.OnLineGames.bx [Kaspersky Lab] PWS-Mmorpg.gen [McAfee] Mal_OLGM-2 [Trend Micro] Mal/Behav-160, Mal/Emogen-E [Sophos]
7	%Windir%\ntsys.exe	8,192 bytes	MD5: 0x03B0D8141E5100E9AC6021DA9E2B0801 SHA-1: 0x4E84A98A41158BA5CC2B9051EAA62938380E5C1E	Trojan-PWS.Hangame [PCTools] Downloader [Symantec] Trojan-PSW.Win32.OnLineGames.bx [Kaspersky Lab] Mal_OLGM-2 [Trend Micro] Mal/Behav-160 [Sophos]
8	[file and pathname of the sample #1]	53,352 bytes	MD5: 0xBFB94DA559CF271ACDF810427C04A111 SHA-1: 0x0797546A47973D5084F158D20118E68181A66CC3	Infostealer.Lineage [Symantec] Trojan-GameThief.Win32.OnLineGames.bx [Kaspersky Lab] New Malware.ey [McAfee] Mal/EncPk-BW, Mal/Behav-160, Mal/Emogen-E [Sophos] PWS:Win32/OnLineGames [Microsoft]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
uboot.bin	c:\uboot.bin	65,536 bytes
ntsys.exe	%Windir%\ntsys.exe	36,864 bytes
ntsock.exe	%Windir%\ntsock.exe	32,768 bytes
ntboot.bin	c:\ntboot.bin	90,112 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	163,840 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

winabc = "rundll32.exe %Temp%\uboot.dll,abcLaunchEv"

so that uboot.dll runs every time Windows starts

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Userinit = "%System%\userinit.exe,%Windir%\ntsock.exe"

so that ntsock.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

load = "%Windir%\ntsys.exe"

so that ntsys.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

cyh
smk
ZXZB

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
zb.lo-t.com	0	(null)	(null)

The following HTTP URLs were started reading:

http://zb.lo-t.com/spcode.dat
http://zb.lo-t.com/i.htm

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://zb.t990.com/m.htm	%Temp%\Ole7.tmp
http://zb.t990.com/m.htm	%Temp%\Ole5.tmp

There were application-defined hook procedures installed into the hook chain (e.g. to monitor keystrokes). The installed hooks are handled by the following modules:

%Windir%\ntkros.dll
%Windir%\ntsocks.dll

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.