Analysis by: Lord Alfred Remorin
ALIASES:

PWS:Win32/OnLineGames.LH (Microsoft), Infostealer.Gampass (Symantec), PWS-Mmorpg!yw (McAfee)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware

This spyware may be dropped by other malware.

It steals sensitive information such as user names and passwords related to certain games.

  TECHNICAL DETAILS

File Size: 86,016 bytes
File Type: DLL
Memory Resident: Yes
Initial Samples Received Date: 18 Sep 2012
Payload: Connects to URLs/IPs

Arrival Details

This spyware may be dropped by other malware.

Information Theft

This spyware steals sensitive information such as user names and passwords related to the following games:

  • AION GameClient (AION.bin)
  • Dungeon & Fighter (dnf.exe)
  • FIFA Online (ff2client.exe)
  • Heroes of the Pacific (heroes.exe)
  • MapleStory (MapleStory.exe)
  • Ncsoft Lineage (lin.bin)
  • Rohan Online Game (fairyclient.exe)
  • The Exiled Realm of Arborea (TERA.exe, ExLauncher.exe)
  • Tibia Player (OTP.exe)
  • World of Warcraft (wow.exe)

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

  • http://flr.{BLOCKED}fk.com/mox1/post.asp
  • http://gor.{BLOCKED}fk.com/cc/post.asp
  • http://gor.{BLOCKED}fk.com/wo/post.asp
  • http://oty.{BLOCKED}fk.com/mxotp/post.asp
  • http://{BLOCKED}6.sptpwjky.com//fafa/post.asp
  • http://{BLOCKED}6.sptpwjky.com/blood/post.asp
  • http://{BLOCKED}6.sptpwjky.com/df/post.asp
  • http://{BLOCKED}6.sptpwjky.com/hg/post.asp
  • http://{BLOCKED}6.sptpwjky.com/lh/post.asp
  • http://{BLOCKED}6.sptpwjky.com/lq/post.asp
  • http://{BLOCKED}6.sptpwjky.com/mxd/post.asp
  • http://{BLOCKED}6.sptpwjky.com/nm/post.asp
  • http://{BLOCKED}6.sptpwjky.com/pm/post.asp
  • http://{BLOCKED}6.sptpwjky.com/pm2/post.asp
  • http://{BLOCKED}6.sptpwjky.com/sword/post.asp
  • http://{BLOCKED}6.sptpwjky.com/tera/post.asp
  • http://{BLOCKED}6.sptpwjky.com/ty/post.asp

NOTES:

This spyware gets user names and passwords by reading the following files:

  • %System%\AionLog.ini
  • %System%\DfLog.ini
  • %System%\FFLog.ini
  • %System%\LUOHANLog.ini
  • %System%\LuoqiLog.ini
  • %System%\MXDLog.ini
  • %System%\TianyiLog.ini
  • %System%\hangame.ini
  • {OTP.exe path}\res\PCOTP.okf

It terminates its host process when running under any of the following:

  • AYAgent.aye
  • AYRTSrv.aye
  • AYServiceNT.aye
  • AYUpdSrv.aye
  • InjectWinSockServiceV3.exe
  • Nsavsvc.npc
  • SgSvc.exe
  • SkyMon.exe
  • SystemMon.exe
  • V3LSvc.exe
  • V3LTray.exe
  • V3Light.exe
  • nsvmon.npc
  • nvc.npc
  • nvcagent.npc

It also terminates the host process if the malware path contains the string alyac.

It hooks the following API functions:

  • InternetReadFile
  • HttpSendRequestA
  • HttpSendRequestExW
  • HttpSendRequestW
  • HttpSendRequestExA
  • HttpEndRequestA
  • HttpEndRequestW
  • MultiByteToWideChar
  • send

If running under EXPLORER.EXE, it accesses the URL http://www.{BLOCKED}s.kr/xx/d.exe to get information where to download an updated copy of itself. It then downloads the file from the returned URL and saves it as %User Temp%\{8 random characters}.pif. It executes the download file to update itself.

After installing its update, it accesses the URL http://{BLOCKED}r.kr/css/count.asp?mac={host's MAC address}&ComPut={Windows major version}&ver={malware version} to inform the hacker of its installation.

This spyware is typically dropped as %System%\ws2help.dll. The original WS2HELP.DLL, a normal file, is saved as WS2HELPXP.DLL.

  SOLUTION

Minimum Scan Engine: 9.200
FIRST VSAPI PATTERN FILE: 9.404.03
FIRST VSAPI PATTERN DATE: 18 Sep 2012
VSAPI OPR PATTERN File: 9.405.00
VSAPI OPR PATTERN Date: 19 Sep 2012

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Search and delete the file detected as TSPY_ONLINEG.NUW

*Note: Some component files may be hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.

To manually delete a malware/grayware file from the affected system:

  1. Right-click Start then click Search....
  2. In the Named input box, type the name of the file that was detected earlier.
  3. In the Look In drop-down list, select My Computer then press Enter.
  4. Once located, select the file then press SHIFT+DELETE to delete it.

Step 4

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_ONLINEG.NUW. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 5

Restoring a File to its Original Location

  1. Click Start>Run.
  2. In the text box, type the following:
    command /c copy  %System%\ws2helpxp.dll %System%\ws2help.dll
  3. Press Enter.


Did this description help? Tell us how we did.