F-Secure
Tools
Trojan-PSW:W32/OnLineGames.JCT
Summary
The file detected as Trojan-PSW.Win32.OnLineGames.JCT drops another trojan that is detected as Trojan-Downloader.Win32.Agent.BLM.
Additional Details
On execution, files detected as Trojan-PSW.Win32.OnLineGames.jct will modify the access rights for the file named %windir%\system32\drivers\pcihdd.sys. It then deletes pcihdd.sys.
It drops a file called 1010.inc that is detected as
Trojan-Downloader.Win32.Agent.blm.
Note: %windir% typically refers to the C:\Windows folder.
The file 1010.inc will drop a new file using the name pcihdd.sys that is detected as Trojan-Downloader.Win32.Agent.blm. It drops the file to the windows system folder and creates the following registry entry to start as a service:
OnlineGames.JCT may also attempt to load files from the following URLs:
The sites were offline during our investigations.
The file pcihdd.sys will attempt to download and parse a file from this URL:
At the time of investigation, the said file contains a link to another malware that is detected as Worm.Win32.Agent.y.
It drops a file called 1010.inc that is detected as
Trojan-Downloader.Win32.Agent.blm.
Note: %windir% typically refers to the C:\Windows folder.
The file 1010.inc will drop a new file using the name pcihdd.sys that is detected as Trojan-Downloader.Win32.Agent.blm. It drops the file to the windows system folder and creates the following registry entry to start as a service:
- HKLM\System\CurrentControlSet\Services\PciHdd
ImagePath = \??\C:\WINDOWS\system32\drivers\pcihdd.sys
OnlineGames.JCT may also attempt to load files from the following URLs:
- http://[REMOVED].mmma.biz/big.exe
- http://[REMOVED].mmma.biz/big1.exe
The sites were offline during our investigations.
The file pcihdd.sys will attempt to download and parse a file from this URL:
- http://yu.8s7.net/
cert.cer
At the time of investigation, the said file contains a link to another malware that is detected as Worm.Win32.Agent.y.
- http://yu.8s7.net/ds.jpg