F-Secure
Tools
Trojan-PSW:W32/Nilage.AFZ
| Name : | Trojan-PSW:W32/Nilage.AFZ |
| Detection Names : |
Trojan-PSW.Win32.Nilage.afz |
| Category: | Malware |
| Type: | Trojan-PSW |
| Platform: | W32 |
Summary
Trojan-PSW:W32/Nilage.AFZ attempts to steal username and password information for the Lineage MMORPG.
Details
File System Changes
Creates these files:
• %windir%\system32\explorer.exe
• %windir%\system32\dab1.dll
• c:\logo.dat
Registry Modifications
Sets these values:
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\explorer.exe,
Userinit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\explorer.exe,
Additional Details
Nilage.AFZ terminates the following security related processes:
It also closes the window titled RavMonClass if it exists.
The trojan monitors traffic to the following URLs in order to steal username and password information:
The stolen data is stored in c:\logo.dat before it is sent to the attacker via e-mail.
• RavMon.exe
• EGHOST.EXE
• MAILMON.EXE
• KAVPFW.EXE
• IPARMOR.EXE
• Ravmond.EXE
It also closes the window titled RavMonClass if it exists.
The trojan monitors traffic to the following URLs in order to steal username and password information:
• https://cs.lineage.co.kr/account/losePassword/losePasswordCheck.asp
• https://cs.lineage.co.kr/account/forgetPassword/forgetPasswordSub.asp
• https://cs.lineage.co.kr/account/losePassword/losePasswordForm.asp
• https://cs.lineage.co.kr/account/forgetPassword/forgetPasswordForm.asp
The stolen data is stored in c:\logo.dat before it is sent to the attacker via e-mail.