Last February, our colleague Chun blogged
about trojanDownloader:Win32/Chekafe.A, which checks if the system is in an Internet Cafe and if so, downloads password-stealing trojans related to MMORPG online games. Now, we look deeper into one of the downloaded trojans, which is PWS:Win32/OnLineGames.GP
(example SHA1: 935c02f86ed1212237a6a78801f41eb4a43d9ade).
PWS:Win32/OnLineGames.GP, just like other password-stealing trojans, monitors certain processes related to MMORPG online games in order to steal account information, the account password, character status and gold count. From way back, we've seen the transformation of these password-stealing trojans from logging keystrokes to monitoring window names and even adding worm capabilities. Lately we have observed that aside from the abovementioned arsenal,
PWS:Win32/OnLineGames.GP patches specific DLL files. What do we mean when we say patch? Patched files in this case are files to which a tiny piece of malicious code has been inserted. For the case of PWS:Win32/OnLineGames.GP, it patches a DLL file including but not limited to the following: