|
Malware -
Harmful DLLs
|
This file is recently detected as a harmful Trojan. Registers a 32-bit in-process server DLL. There was application-defined hook procedure installed into the hook chain (to monitor keystrokes)
These are the aliases as reported by different antivirus programs (ref: threatexpert report)
Infostealer.Gampass [Symantec]
PWS:Win32/Lmir.S [Microsoft]
Trojan-GameThief.Win32.OnLineGames.synh [Kaspersky Lab]
PWS.Win32.OnLineGames.S [Ikarus]
PWS-Gamania.gen.dll [McAfee]
Troj/HkDla-Gen [Sophos]
Trojan-GameThief.Win32.OnLineGames.sxsu [Kaspersky Lab]
Trojan-GameThief.Win32.OnLineGames.tcog [Kaspersky Lab] | The following files were created alongwith
C:\Documents and Settings\[UserName]\Local Settings\Temp\1.tmp
C:\Documents and Settings\[UserName]\Local Settings\Temp\1.tmp.bat
C:\Windows\System32\lweurqhx.dll
C:\Windows\System32\lweurqhx.nls
| - The following Registry Keys were created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32
- The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32]
- (Default) = "%System%\lweurqhx.dll"
- ThreadingModel = "Apartment"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
- {71A78CD4-E470-4a18-8457-E0E0283DD507} = ""
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
- lweurqhx.dll = "{71A78CD4-E470-4a18-8457-E0E0283DD507}"
| reprinted with permission from threat expert.
|
|
