|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Trojan-PSW:W32/OnLineGames.JCT
|
|
|
| Radar |
 |
|
|
|
Summary
|
| The file detected as Trojan-PSW.Win32.OnLineGames.JCT drops another trojan that is detected as Trojan-Downloader.Win32.Agent.BLM. |
|
|
|
Detailed Description
|
On execution, files detected as Trojan-PSW.Win32.OnLineGames.jct will modify the access rights for the file named %windir%\system32\drivers\pcihdd.sys. It then deletes pcihdd.sys.
It drops a file called 1010.inc that is detected as
Trojan-Downloader.Win32.Agent.blm.
Note: %windir% typically refers to the C:\Windows folder.
The file 1010.inc will drop a new file using the name pcihdd.sys that is detected as Trojan-Downloader.Win32.Agent.blm. It drops the file to the windows system folder and creates the following registry entry to start as a service:
- HKLM\System\CurrentControlSet\Services\PciHdd
ImagePath = \??\C:\WINDOWS\system32\drivers\pcihdd.sys
OnlineGames.JCT may also attempt to load files from the following URLs:
- http://[REMOVED].mmma.biz/big.exe
- http://[REMOVED].mmma.biz/big1.exe
The sites were offline during our investigations.
The file pcihdd.sys will attempt to download and parse a file from this URL:
- http://yu.8s7.net/cert.cer
At the time of investigation, the said file contains a link to another malware that is detected as Worm.Win32.Agent.y.
|
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: April 29, 2008
|
|
|
|
|
