Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Trojan-PSW:W32/OnLineGames.JCT

[Summary] | [Detailed Description]

Name : Trojan-PSW:W32/OnLineGames.JCT
Alias:Trojan-PSW.Win32.OnLineGames.jct
Type:Trojan-PSW
Category:Malware
Platform:W32
Date of Discovery:November 30, 2007
Radar

Summary
The file detected as Trojan-PSW.Win32.OnLineGames.JCT drops another trojan that is detected as Trojan-Downloader.Win32.Agent.BLM.
Back to the Top

Detailed Description
On execution, files detected as Trojan-PSW.Win32.OnLineGames.jct will modify the access rights for the file named %windir%\system32\drivers\pcihdd.sys. It then deletes pcihdd.sys.

It drops a file called 1010.inc that is detected as
Trojan-Downloader.Win32.Agent.blm.

Note: %windir% typically refers to the C:\Windows folder.

The file 1010.inc will drop a new file using the name pcihdd.sys that is detected as Trojan-Downloader.Win32.Agent.blm. It drops the file to the windows system folder and creates the following registry entry to start as a service:

  • HKLM\System\CurrentControlSet\Services\PciHdd
    ImagePath = \??\C:\WINDOWS\system32\drivers\pcihdd.sys

OnlineGames.JCT may also attempt to load files from the following URLs:

  • http://[REMOVED].mmma.biz/big.exe
  • http://[REMOVED].mmma.biz/big1.exe

The sites were offline during our investigations.

The file pcihdd.sys will attempt to download and parse a file from this URL:

  • http://yu.8s7.net/cert.cer

At the time of investigation, the said file contains a link to another malware that is detected as Worm.Win32.Agent.y.

  • http://yu.8s7.net/ds.jpg
Back to the Top



F-Secure Corporation

Last Modified: April 29, 2008