Analysis by: Roland Marco Dela Paz
 Modified by: Christopher Daniel So
ALIASES:

PWS:Win32/OnLineGames.LH (Microsoft), Bloodhound.Gampass.E (Symantec). Trojan-GameThief.Win32.OnLineGames.ajgtd (Kaspersky)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware

This spyware may be dropped by other malware.

It steals sensitive information such as user names and passwords related to certain games.

  TECHNICAL DETAILS

File Size: Varies
File Type: DLL
Memory Resident: Yes
Initial Samples Received Date: 03 May 2012
Payload: Connects to URLs/IPs

Arrival Details

This spyware may be dropped by the following malware:

  • TROJ_SPYDROP.AD

Installation

This spyware terminates itself if it finds the following processes in the affected system's memory:

  • AyAgent.aye
  • AYRTSrv.aye
  • AYServiceNT.aye
  • AYupdate.aye
  • AYUpdSrv.aye
  • MUpdate2.exe
  • NaverAgent.exe
  • Nsavsvc.npc
  • nsvmon.npc
  • NVCAgent.npc
  • sgbider.exe
  • SgSvc.exe
  • SkyMon.exe
  • SystemMon.exe
  • V3Light.exe
  • V3LRun.exe
  • V3LSvc.exe
  • V3LTray.exe
  • vcsvc.exe
  • vcsvcc.exe

Information Theft

This spyware steals sensitive information such as user names and passwords related to the following games:

  • Dungeon & Fighter (dnf.exe)
  • FIFA Online (ff2client.exe)
  • Heroes of the Pacific (heroes.exe)
  • MapleStory (MapleStory.exe, NGM.exe)
  • Ncsoft Lineage (lin.bin)
  • Raycity.exe (RayCity)
  • WinBaram (WinBaram.exe)
  • World of Warcraft (wow.exe)

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

  • http://ot.{BLOCKED}l.com/mxdotp/mail.asp
  • http://{BLOCKED}1.org/ddd/mail.asp
  • http://{BLOCKED}1.org/dddxx/mail.asp
  • http://{BLOCKED}1.org/df/mail.asp
  • http://{BLOCKED}1.org/dfxx/mail.asp
  • http://{BLOCKED}1.org/dk/mail.asp
  • http://{BLOCKED}1.org/gd/mail.asp
  • http://{BLOCKED}1.org/hg/mail.asp
  • http://{BLOCKED}1.org/jl/mail.asp
  • http://{BLOCKED}1.org/lq/mail.asp
  • http://{BLOCKED}1.org/mxd/mail.asp
  • http://{BLOCKED}1.org/mxdxx/mail.asp
  • http://{BLOCKED}1.org/nm/mail.asp
  • http://{BLOCKED}1.org/pm/mail.asp
  • http://{BLOCKED}1.org/t1/mail.asp
  • http://{BLOCKED}1.org/wow/mail.asp
  • http://{BLOCKED}1.org/wowpin/mail.asp

NOTES:

This spyware is normally dropped as %System%\ws2help.dll. The original %System%\ws2help.dll is renamed to %System%\ws2helpxp.dll by the dropper.

  SOLUTION

Minimum Scan Engine: 9.200
VSAPI OPR PATTERN File: 8.971.00
VSAPI OPR PATTERN Date: 04 May 2012

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file that dropped/downloaded TSPY_ONLINEG.SM3

Step 3

Since this malware cannot be removed in normal and safe mode, it is necessary to restart using the Windows Recovery Console. To restart the system using the Windows Recovery Console:

• On Windows XP and Server 2003 systems:

  1. Click Start>Run. In the Open input box, type secpol.msc and press Enter.
  2. In the left panel, double-click Local Policies>Security Options.
  3. In the right panel, double-click Recovery Console: Allow floppy copy and access to all drives and folders.
  4. Select Enabled and click OK.
  5. Insert the Windows Installation CD into the CD drive, then restart your computer.
  6. When prompted, press any key to boot from the CD.
  7. On the main menu, type r to go to the Recovery Console.
  8. Type the number that corresponds to the drive and directory that contains Windows (usually C:\WINDOWS) and press Enter.
  9. Type the Administrator password and press Enter.
  10. In the input box, type the following then press Enter:
    SET AllowAllPaths = TRUE
    cd system32
    del ws2help.dll
    ren ws2helpXP.dll ws2help.dll
  11. Type exit and press Enter to restart the system normally.

• On Windows Vista and 7 systems:

  1. Insert your Windows Installation DVD in the DVD drive, then Press the restart button.
  2. When prompted, press any key to boot from the DVD.
  3. Depending on your Windows Installation DVD, you might be required to select the installation language. Then on the Install Windows window, choose your language, locale, and keyboard layout or input method. Click Next, then click Repair your computer.
  4. Select Use recovery tools that can help fix problems starting Windows. Select your installation of Windows. Click Next.
  5. If the Startup Repair window appears, click Cancel, Yes, then Finish.
  6. In the System Recovery Options window, click Command Prompt.
  7. In the Command Prompt window, type the following then press Enter:
    cd system32
    del ws2help.dll
    ren ws2helpXP.dll ws2help.dll

    (Note: In Windows 7, all local drives will be assigned one more than normal. For example, the C: drive becomes D:.)
  8. Type exit and press Enter to close the Command Prompt window.
  9. Click Restart to restart the system normally.

Step 4

Scan your computer with your Trend Micro product to delete files detected as TSPY_ONLINEG.SM3. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.