Analysis by: Anthony Joe Melgarejo
ALIASES:

PWS:Win32/OnLineGames.AH(Microsoft),RDN/PWS-Mmorpg!jt (McAfee), Mal/GamePSW-C (Sophos)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It injects its dropped file/component to specific processes.

It deletes registry entries, causing some applications and programs to not function properly.

As of this writing, the said sites are inaccessible.

It monitors user transactions on certain sites. It steals sensitive information such as user names and passwords related to certain games. It retrieves specific information from the affected system.

  TECHNICAL DETAILS

File Size: 995,810 bytes
Memory Resident: Yes
Initial Samples Received Date: 27 Jun 2013
Payload: Connects to URLs/IPs, Modifies files

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following component file(s):

  • %User Temp%\{random 1}.dll - also detected as TSPY_ONLINEG.OKO
  • %User Temp%\{random 2}.dll - also detected as TSPY_ONLINEG.OKO
  • %System%\kakutk.dll - also detected as TSPY_ONLINEG.OKO
  • %System%\drivers\0135cf9b.sys - also detected as TSPY_ONLINEG.OKO

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following non-malicious files:

  • %User Temp%\A1.zip
  • %User Temp%\B1.zip
  • %User Temp%\C1.zip
  • %System%\safemono.dll

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It injects its dropped file/component to the following processes:

  • explorer.exe

Autostart Technique

This spyware adds the following registry keys to install itself as a Browser Helper Object (BHO):

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{AB705622-B25B-491B-4A46FDDBC88E}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AB705622-B25B-491B-4A46FDDBC88E}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{AB705622-B25B-491B-4A46FDDBC88E}

It adds the following registry entries to install itself as a Browser Helper Object (BHO):

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
IEHlprObj.1\CLSID
Default = "{AB705622-B25B-491B-A6BF-4A46FDDBC88E}"

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\0135cf9b

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\7d9efa1d

Other System Modifications

This spyware modifies the following file(s):

  • %System%\midimap.dll
  • %System%\wshtcpip.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\HOOK_ID
name = "{random}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\SYS_DLL
name = "{random}.dll"

It deletes the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ctfmon.exe = "%System%\ctfmon.exe"

Process Termination

This spyware terminates processes or services that contain any of the following strings if found running in the affected system's memory:

  • AhnFlt2k.sys
  • AhnFltNt.sys
  • AhnRec2k.sys
  • AhnRecNt.sys
  • AhnRghNt.sys
  • ahnsze.sys
  • ASHUPD.EXE
  • AvastSvc.exe
  • AVASTUI.EXE
  • AVCENTER.EXE
  • AVGAM.EXE
  • AVGEMC.EXE
  • AVGFRW.EXE
  • AVGNSX.EXE
  • avgnt.exe
  • AVGRSX.EXE
  • AVGUARD.EXE
  • AVGUPD.EXE
  • avgwdsvc.exe
  • avp.exe
  • AVSCAN.EXE
  • AVUPGSVC.EXE
  • AVWSC.EXE
  • ayagent.aye
  • AYRTSrv.aye
  • AYUpdSrv.aye
  • BDAGENT.EXE
  • BDREINIT.EXE
  • CCSVCHST.EXE
  • CHROME.EXE
  • EGUI.EXE
  • ekrn.exe
  • EstRtw.sys
  • FIREFOX.EXE
  • Mctray.exe
  • MSSECES.EXE
  • MUPDATE2.EXE
  • MYSFTY.EXE
  • NaverAgent.exe
  • NAVW32.EXE
  • NSAVSVC.NPC
  • Nsvmon.npc
  • NVCAGENT.NPC
  • SECCENTER.EXE
  • SGRUN.EXE
  • SGSVC.EXE
  • SGUI.EXE
  • SHSTAT.EXE
  • UDATERUI.EXE
  • UPDATESRV.EXE
  • v3core.sys
  • v3engine.sys
  • V3LRUN.EXE
  • V3LSvc.exe
  • V3LTray.exe
  • V3SP.EXE
  • V3SVC.EXE
  • V3UP.EXE
  • VSSERV.EXE

Download Routine

This spyware connects to the following URL(s) to download its component file(s):

  • http://{BLOCKED}m.lfllja.com/cs0719

As of this writing, the said sites are inaccessible.

Information Theft

This spyware monitors user transactions done on the following websites:

  • aion.plaync.jp
  • aran.kr.gameclub.com
  • asgard.nexon.com
  • auth.siren24.com
  • bank.cu.co.kr
  • banking.nonghyup.com
  • baram.nexon com
  • baram.nexon.com
  • bns.plaync.com
  • capogames.net
  • clubaudition.ndolfin.com
  • cyphers.nexon.com
  • df.nexon.com
  • dk.halgame.com
  • dragonnest.nexon.com
  • elsword.nexon.com
  • fifaonline.pmang.com
  • fifaonline3.nexon.com
  • hangame.com
  • heroes.nexon.com
  • id.hangame.com
  • ipin.siren24.com
  • itemmania.com
  • kr.battle.net
  • lod.nexon.com
  • login.nexon.com
  • maplestory.nexon.com
  • mo.netmarble.net
  • ncoin.plaync.com
  • netmarble.net
  • nexon.com/cash/page/payrequest.aspx
  • npubid.hangame.com
  • pay.neowiz.com
  • plaync.co.kr
  • poker.hangame.com/baduki.nhn
  • poker.hangame.com/duelpoker.nhn
  • poker.hangame.com/highlow2.nhn
  • poker.hangame.com/hoola3.nhn
  • poker.hangame.com/laspoker.nhn
  • poker.hangame.com/poker7.nhn
  • r2.webzen.co.kr
  • samwinfo.capogames.net
  • tales.nexon.com
  • tera.hangame.com
  • www.booknlife.com/bnl_new/community
  • www.booknlife.com
  • www.booknlife.com/bnl_new/giftcard
  • www.capogames.net
  • www.cultureland.co.kr
  • www.gersang.co.kr
  • www.happymoney.co.kr
  • www.happymoney.co.kr/happyorder/cashchargebuy.hm
  • www.happymoney.co.kr/member/login.hm
  • www.itembay.com
  • www.kmcert.com
  • www.nexon.com
  • www.pm ng.com
  • www.pmang.com/game_top.nwz?ssn=40
  • www.pmang.com
  • www.pmang.com/gam _top.nwz?ssn=2
  • www.pmang.com/game_top.nwz?ssn=23
  • www.pmang.com/game_top.nwz?ssn=3
  • www.pmang.com/game_top.nwz?ssn=43
  • www.pmang.com/game_top.nwz?ssn=1
  • www.pmang.com/game_top.nwz?ssn=14
  • www.pmang.com/game_top.nwz?ssn=24
  • www.pmang.com/game_top.nwz?ssn=25
  • www.pmang.com/game_top.nwz?ssn=26
  • www.pmang.com/game_top.nwz?ssn=17
  • www.pmang.com/game_top.nwz?ssn=18
  • www.pmang.com/game_top.nwz?ssn=19
  • www.teencash.co.kr
  • yulgang.mgame.com

It steals sensitive information such as user names and passwords related to the following games:

  • ArcheAge
  • Cabal2
  • Diablo
  • Duke Nukem Forever (DNF)
  • Dungeon & Fighter
  • Elsword
  • Kingdom of the Winds
  • Lineage
  • MapleStory
  • WinBaram
  • World of Warcraft

It retrieves the following information from the affected system:

  • Mac Address
  • OS version
  • Installed AV software
  • Number of running processes

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

  • http://banana.{BLOCKED}er.com/xin87842647df/lin.asp
  • http://banana.{BLOCKED}r.com/838483dfotp/lin.asp
  • http://banana.{BLOCKED}r.com/xin09923929mxd/lin.asp
  • http://green.{BLOCKED}r.com/po23924898df/lin.asp
  • http://green.{BLOCKED}r.com/po9819219mxd/lin.asp <1--BLOCKED http://green.boolker.com/po9819219mxd/lin.asp -->
  • http://{BLOCKED}.{BLOCKED}.210.187/kaixin/mail.asp?mac={mac address}&os={OS version}&avs={AV software present}&ps={value}&ver={value}&pnum={number of running processes}

NOTES:

Some of the process or services it terminates are related to antivirus or security software.

It renames the following files using random characters to make them unusable:

  • %Program Files%\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
  • %Program Files%\Java\jre{version number}\lib\deploy\jqs\ie\jqs_plugin.dll
  • %Program Files%\Java\jre{version number}\bin\jp2ssv.dll

It deletes all other BHOs in the affected system.

  SOLUTION

Minimum Scan Engine: 9.300
FIRST VSAPI PATTERN FILE: 10.120.03
FIRST VSAPI PATTERN DATE: 27 Jun 2013
VSAPI OPR PATTERN File: 10.121.00
VSAPI OPR PATTERN Date: 27 Jun 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product and note files detected as TSPY_ONLINEG.OKO

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.1\CLSID
    • Default = "{AB705622-B25B-491B-A6BF-4A46FDDBC88E}"

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {AB705622-B25B-491B-4A46FDDBC88E}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    • {AB705622-B25B-491B-4A46FDDBC88E}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    • {AB705622-B25B-491B-4A46FDDBC88E}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • 0135cf9b
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • 7d9efa1d

Step 6

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Temp%\A1.zip
  • %User Temp%\B1.zip
  • %User Temp%\C1.zip
  • %System%\safemono.dll

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_ONLINEG.OKO. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 8

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

  • %System%\midimap.dll
  • %System%\wshtcpip.dll
  • %Program Files%\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
  • %Program Files%\Java\jre{version number}\lib\deploy\jqs\ie\jqs_plugin.dll
  • %Program Files%\Java\jre{version number}\bin\jp2ssv.dll


Did this description help? Tell us how we did.