TSPY_GAMETHI.AB

This spyware may be dropped by other malware.

It steals sensitive information such as user names and passwords related to certain games.

Arrival Details

This spyware may be dropped by the following malware:

• WORM_GAMMIM.AB

Information Theft

This spyware steals sensitive information such as user names and passwords related to the following games:

• Arad Hangame
• Atlantica
• Cabal
• Forthgoer
• GungHo
• MapleStory
• PlayOnline
• Ragnarok
• Red Stone
• Tales Weaver

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}ef8t.com/r1b/rty/lin.asp
• http://{BLOCKED}ef8t.com/r1b/rjt/lin.asp

Other Details

This spyware does the following:

• Checks if the following processes related to antivirus are running in memory:
  • ALUSCHEDULERSVC.EXE
  • ASHDISP.EXE
  • AVGNT.EXE
  • AVGRSX.EXE
  • AVP.EXE
  • AYAGENT.AYE
  • CCSVCHST.EXE
  • EKRN.EXE
  • LIVESRV.EXE
  • UFSEAGNT.EXE
  • VCRMON.EXE
  • VSTSKMGR.EXE
• It retrieves the folder where the said files are located. It will then search for any of the following component files, depending on the antivirus process it finds:
  • AYUpdate.aye
  • SfFnUp.exe
  • UfUpdUi.exe
  • Update.exe
  • avast.setup
  • avgupd.exe
  • eguiEmon.dll
  • eguiEpfw.dll
  • ekrnEmon.dll
  • ekrnEpfw.dll
  • luall.exe
  • mcupdate.exe
  • preupd.exe
  • prupdate.ppl
  • setup.ovr
  • update.exe
  • updater.dll
  • vsupdate.dll
• Searches files from the said folder with the following extensions:
  • .DLL
  • .EXE
• This spyware also moves the files it has found in %System Root% and replaces the file name with {file name}.{extension}.vcd.
• This spyware steals login credentials for Yahoo! Japan.

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)