1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Trojan-PSW:W32/Nilage.AFZ

Trojan-PSW:W32/Nilage.AFZ

Name : Trojan-PSW:W32/Nilage.AFZ
Detection Names : Trojan-PSW.Win32.Nilage.afz
Category:Malware
Type:Trojan-PSW
Platform:W32

Summary

Trojan-PSW:W32/Nilage.AFZ attempts to steal username and password information for the Lineage MMORPG.

Details


File System Changes
Creates these files:

  • %windir%\system32\explorer.exe
  • %windir%\system32\dab1.dll
  • c:\logo.dat



Registry Modifications
Sets these values:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\explorer.exe,


Additional Details

Nilage.AFZ terminates the following security related processes:

  • RavMon.exe
  • EGHOST.EXE
  • MAILMON.EXE
  • KAVPFW.EXE
  • IPARMOR.EXE
  • Ravmond.EXE

It also closes the window titled RavMonClass if it exists.

The trojan monitors traffic to the following URLs in order to steal username and password information:

  • https://cs.lineage.co.kr/account/losePassword/losePasswordCheck.asp
  • https://cs.lineage.co.kr/account/forgetPassword/forgetPasswordSub.asp
  • https://cs.lineage.co.kr/account/losePassword/losePasswordForm.asp
  • https://cs.lineage.co.kr/account/forgetPassword/forgetPasswordForm.asp

The stolen data is stored in c:\logo.dat before it is sent to the attacker via e-mail.