Win32/Frethog
Original issue date:
July
11, 2008
It has been observed that various variants of Win32/Frethog family of Trojans are spreading widely.Win32/Frethog is a large family of password-stealing Trojans that target confidential data from Massive Multiplayer Online Role Playing Games(MMORPGs)
Many of the Win32/Frethog Trojans are installed via browser exploits.
Aliases :
- PWS-Mmorpg.gen, PWS-WOW.gen.e (McAfee)
- Trojan-PSW.Win32.OnLineGames.ajsz (Kaspersky,F-Secure)
- PWS-LegMir, Infostealer.Gampass , W32.Gammima.AG (Symantec)
- Trj/Wow,Trj/Lineage(Panda)
- Mal/Dropper-O (Sophos)
- Win-Trojan/MalPacked.Gen (AhnLab)
- PSW.OnlineGames.AO (AVG)
- Trojan.PWS.OnlineGames.WND (BitDefender)
- Win32/Frethog.ATE (CA)Trojan.Spy-34056 (Clam AV)
- Win32/PSW.OnLineGames.NMY (ESET)
- W32/OnLineGames.AZZE (Norman),Mal/EncPk-DH (Sophos)
- Trojan.Lineage.Gen!Pac.7 (VirusBuster)
Win32/Frethog family of Trojans performs following actions :
- Installs itself to the system by copying its file to Windows folder and registers 32-bit in-process server DLLs and drops kernel-mode drivers in the system.
- Creates a startup key value in the Registry for the copied file.
- Injects the dropped DLL into the Windows Explorer process. The dropped DLL contains the encrypted URL that is used to send stolen data. The stolen data is sent to a hacker by accessing the specified website with a specially constructed URL. The Trojan can also try to connect to a hard-coded IP Address, create a socket and send stolen data to it.
- Uses the "AppInit_DLLs "value in order to install the dropped dll module that will be loaded into the address space of every running application.
- The trojan reads the process memory of certain game executables ,(WOW.EXE (World of Warcraft), ElementClient.exe (Perfect World), CabalMain.exe (Cabal Online)), certain variables from the games configuration files ( CurrentServer.ini file which gives current game server address ) then logs mouse actions and keyboard inputs to capture user credentials and attempts to contact a remote server to upload the stolen data.
- Some variants contact a remote server and requests/downloads malwares (Trojan.Popuper) that hijacks the default Internet Explorer settings and changes Internet Explorer homepage.
- Creates mutex to ensure that only one instance of itself is running.
- Attempts to circumvent security products by prevent AVP Antivirus from displaying notifications regarding system changes by closing windows used by this product and attempting to terminate Ravmon.exe if it is found to be running on the affected system.
- Obtains login account information for one or more of the following MMORPG’s such as Rainbow Island, Cabal Online, A Chinese Odyssey, Hao Fang Battle Net, Lineage, Gamania, MapleStory, qqgame, Legend of Mir, World Of Warcraft
Upon execution, the Trojan variants :
- drops the following hidd n EXE and DLL with the names in < system folder>
- amvo<number>.exe/dll
- kavo<number>.exe/dll
- awda<number>.exe/dll
- avpo<number>.exe/dll,
(<random 7 or 8 letter name)>
- gpr8.exe, soft28.exe, gpr3.exe, soft13.exe, soft1.exe,
tciocp64.exe
- msosdohs00.dll ,fmsjhif.dll ,tciocp64.dll
- Inject remote thread in other processes, such as:
- winlogon.exe
- services.exe
- svchost.exe
- explorer.exe
- spoolsv.exe
- msmsgs.exe
- vmsrvc.exe
- lsass.exe
- iexplorer.exe
- dllhost.exe
- Modify registry keys such as:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run ="<system folder>\*.exe"
- AppInit_DLLs = "*.dll" under key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Windows to run the dll every time a
Windows
application starts
- Installs kernel-mode drivers in the system and creates registry entries:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\
LEGACY_<drivername>0000\Control
NewlyCreated* = 0x00000000
ActiveService = "<drivername>"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\
LEGACY_<drivername>\0000
Service = <drivername>
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8 ECC 055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = <drivername>
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\
EGACY_<drivername>
NextInstance = 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
<drivername>
Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\d32dx9.sys"
DisplayName = "<drivername>"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\
LEGACY_<drivername>\0000\Control
NewlyCreated* = 0x00000000
ActiveService = "<drivername>"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\
Root\LEGACY_<drivername>\0000
Service = "HiddFldy"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8 ECC 055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "<drivername>"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\
Root\LEGACY_<drivername>
NextInstance = 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\
Services\<drivername>\Enum
0 = "Root\LEGACY_<drivername>0000"
Count = 0x00000001
NextInstance = 0x00000001
In view of rapid propagation of the Frethog Trojan variants, users are advised to implement the following countermeasures :
- Delete executables with the abovementioned names.
- Delete the registry entries made by the Trojan a mentioned above.
- Install and maintain updated anti-virus software at gateway and desktop level.
- Keep up-to-date on patches and fixes on the operating system.
- Install and maintain Desktop Firewall and block the ports which are not required.
References
Microsoft
http://www.microsoft.com/security/portal/Entry.aspx?
Name=Win32/Frethog
Threatexpert
http://www.threatexpert.com/report.aspx?uid=480771
fa-71b5-44ad-bc7c-325416142b3e
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
