F-Secure Malware Information Pages: Trojan-PSW:W32/Nilage.AFZ

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Malware Information Pages: Trojan-PSW:W32/Nilage.AFZ

[Summary] \| [Details] \| [Additional Details]
Name :	Trojan-PSW:W32/Nilage.AFZ
Detection Names :	Trojan-PSW.Win32.Nilage.afz
Type:	Trojan-PSW
Category:	Malware
Platform:	W32

Radar

Summary

Trojan-PSW:W32/Nilage.AFZ attempts to steal username and password information for the Lineage MMORPG.

Back to the Top

Details

File System Changes
Creates these files:

%windir%\system32\explorer.exe
%windir%\system32\dab1.dll
c:\logo.dat

Registry Modifications
Sets these values:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\explorer.exe,

Back to the Top

Additional Details

Nilage.AFZ terminates the following security related processes:

RavMon.exe
EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
IPARMOR.EXE
Ravmond.EXE

It also closes the window titled RavMonClass if it exists.

The trojan monitors traffic to the following URLs in order to steal username and password information:

https://cs.lineage.co.kr/account/losePassword/losePasswordCheck.asp
https://cs.lineage.co.kr/account/forgetPassword/forgetPasswordSub.asp
https://cs.lineage.co.kr/account/losePassword/losePasswordForm.asp
https://cs.lineage.co.kr/account/forgetPassword/forgetPasswordForm.asp

The stolen data is stored in c:\logo.dat before it is sent to the attacker via e-mail.

Back to the Top

F-Secure Corporation

Last Modified: September 04, 2008