ThreatExpert Report: Infostealer.Lineage, Trojan-PSW.Win32.OnLineGames.bx, New Malware.ey..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 11 September 2008, 16:26:06
Processing time: 5 min 33 sec
Submitted sample:

File MD5: 0xFE5FF46C997E5800B76626A01CC6D3E4
File SHA-1: 0x1A3F05E889DA9245922D41425F7C21E096CF5CBB
Filesize: 48,768 bytes
Alias:

Infostealer.Lineage [Symantec]
Trojan-PSW.Win32.OnLineGames.bx [Kaspersky Lab]
New Malware.ey [McAfee]
Mal/EncPk-BW, Mal/Behav-160, Mal/Emogen-E [Sophos]
Trojan:Win32/Meredrop [Microsoft]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-PWS.OnlineGames.LP	Trojan.PSW.OnlineGames.LP attempts to steal password information from the following Massively Multiplayer Online Role Playing Game - MapleStory, Lineage and Kingdom of the Winds. The stolen information is then sent to the attacker. This threat uses rootkit to hide its existence.
Trojan-PSW.Nilage!sd5	Trojan-PSW.Nilage!sd5 is a malicious application that attempts to steal passwords, login details, and other confidential information.
Trojan-PWS.Lineage	Trojan.PWSteal.Lineage is a group of password stealing Trojans that attempt to steal passwords associated with the game called "Lineage" or "Lineage II", and send it to the creator of the Trojan.
Trojan-PSW.OnLineGames!sd5	Trojan-PSW.OnLineGames!sd5 is a malicious application that attempts to steal passwords, login details, and other confidential information.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A program that downloads files to the local computer that may represent security risk

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\Ole5.tmp %Temp%\Ole7.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%Temp%\sp.dat	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
3	%Temp%\uboot.dll	45,056 bytes	MD5: 0xC51A856D943BE14AF06CD6EE0AD40DDC SHA-1: 0x828DC86605432EA2C022F7513D8E0BF607733497	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.Nilage.bgj [Kaspersky Lab] PWS-Lineage.dll [McAfee] Mal_OLGM-1 [Trend Micro] PWS:Win32/Lineage.EA [Microsoft]
4	%Windir%\ntkros.dll	10,752 bytes	MD5: 0xFD80B4C2B40C31B6B10EAFF0066440A7 SHA-1: 0x0500EDCAC66903E7881F6091C17EE167A1DA30C0	Trojan-PSW.Nilage!sd5 [PCTools] Infostealer.Gampass [Symantec] Trojan-PSW.Win32.Nilage.bfo [Kaspersky Lab] PWS-Gamania.dll [McAfee] Mal_OLGM-2 [Trend Micro] Mal/Behav-160 [Sophos]
5	%Windir%\ntsock.exe	6,656 bytes	MD5: 0x3FAEF4023F03546634C9B567F39E053D SHA-1: 0xB0A4EECF84F923070B0FE9A93D3CDB4FED538548	Trojan-PSW.OnLineGames!sd5 [PCTools] Infostealer [Symantec] Trojan-PSW.Win32.OnLineGames.dl [Kaspersky Lab] PWS-Mmorpg.gen [McAfee] TROJ_OLGM.A [Trend Micro] Troj/Hangame-AX [Sophos]
6	%Windir%\ntsocks.dll	9,728 bytes	MD5: 0xCC50CCAADE7D5D53FF304B01A3AC58F4 SHA-1: 0xC2B7D7DFCBDD6F72B196B8DD662DACE6F843D8D3	Trojan-PSW.OnLineGames!sd5 [PCTools] Infostealer.Gampass [Symantec] Trojan-PSW.Win32.OnLineGames.bx [Kaspersky Lab] PWS-Gamania.dll [McAfee] Mal_OLGM-2 [Trend Micro] Troj/Hangame-AV [Sophos]
7	%Windir%\ntsys.exe	8,192 bytes	MD5: 0xBA596F718096AFAFFE8C03A9B2F2EDC8 SHA-1: 0x47D36B9C81C17C0F136B232910442DA7FBEC7A01	Trojan-PSW.Nilage!sd5 [PCTools] Downloader [Symantec] Trojan-PSW.Win32.Nilage.bfo [Kaspersky Lab] Mal_OLGM-2 [Trend Micro] Mal/Behav-160 [Sophos]
8	[file and pathname of the sample #1]	48,768 bytes	MD5: 0xFE5FF46C997E5800B76626A01CC6D3E4 SHA-1: 0x1A3F05E889DA9245922D41425F7C21E096CF5CBB	Infostealer.Lineage [Symantec] Trojan-PSW.Win32.OnLineGames.bx [Kaspersky Lab] New Malware.ey [McAfee] Mal/EncPk-BW, Mal/Behav-160, Mal/Emogen-E [Sophos] Trojan:Win32/Meredrop [Microsoft]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
ntboot.bin	c:\ntboot.bin	57,344 bytes
uboot.bin	c:\uboot.bin	65,536 bytes
ntsys.exe	%Windir%\ntsys.exe	36,864 bytes
ntsock.exe	%Windir%\ntsock.exe	32,768 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	155,648 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

winabc = "rundll32.exe %Temp%\uboot.dll,abcLaunchEv"

so that uboot.dll runs every time Windows starts

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Userinit = "%System%\userinit.exe,%Windir%\ntsock.exe"

so that ntsock.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

load = "%Windir%\ntsys.exe"

so that ntsys.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

cyh
smk
ZXZB

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
zb.lo-t.com	0	(null)	(null)

The following HTTP URLs were started reading:

http://zb.lo-t.com/spcode.dat
http://zb.lo-t.com/i.htm

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://zb.t990.com/m.htm	%Temp%\Ole7.tmp
http://zb.t990.com/m.htm	%Temp%\Ole5.tmp

There were application-defined hook procedures installed into the hook chain (e.g. to monitor keystrokes). The installed hooks are handled by the following modules:

%Windir%\ntkros.dll
%Windir%\ntsocks.dll

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.