.:: Trojan-PSW.Win32.OnLineGames.eos ::. Win32.OnLineGames is a PSW Trojan, which works as a Password Stealer, specifically written to steal online gaming passwords. 00401314 add eax, esi 00401316 lea eax, ds:401442h 0040131C jmp eax ;00401442 At the entry point, code flow jumps to 00401442 00401442 push ebp 00401443 mov ebp, esp 00401445 sub esp, 52Ch 0040144B call ds:GetCurrentThreadId 00401451 push eax 00401452 call ds:GetThreadDesktop 00401458 test eax, eax 0040145A jnz short loc_40145D 0040145C int 3 ; Trap to Debugger 0040145D push ebx 0040145E push esi 0040145F push edi 00401460 mov edi, offset aCzxsderdaksiic ; "CZXSDERDAKSIICS_MX" 00401465 xor esi, esi 00401467 push edi ; String 00401468 push esi ; NULL 00401469 push EVENT_ALL_ACCESS 0040146E call ds:OpenEventA Obtains the handle to the desktop associated to the executable itself and opens the handle of an existing event called CZXSDERDAKSIICS_MX, if event exists its own handle is closed, else a new event (called CZXSDERDAKSIICS_MX9 is created with standard SecurityAttributes. 00401486 mov [ebp-10h], eax 00401489 mov edi, offset off_401154 ;Edi points to an array of strings, that are a list of executables 0040148E mov ecx, [edi] 00401490 call sub_401798 ;Check if the searched process is running 00401495 cmp eax, esi 00401497 jz short loc_4014B2 ; If no, go to the next process 00401499 push eax 0040149A push esi 0040149B push 1F0FFFh 004014A0 call ds:OpenProcess 004014A6 cmp eax, esi 004014A8 jz short loc_4014B2 004014AA push esi 004014AB push eax 004014AC call ds:TerminateProcess 004014B2 add edi, 4 004014B5 cmp edi, offset dword_40115C ;Next process to search 004014BB jl short loc_40148E 004014BD call sub_40131E ;AdjustTokenPrivilege ... The searched executables: Twister.exe, FilMsg.exe 0040151B call ds:GetSystemDirectoryA 00401521 mov edx, offset asc_401204 ; "\\" 00401526 lea ecx, [ebp-11Ch] ;points to the System Directory 0040152C call sub_40174A 00401531 lea edx, [ebp-11Ch] 00401537 lea ecx, [ebp-428h] 0040153D call sub_40176F 00401542 push esi 00401543 call ds:GetModuleHandleA 00401549 push offset aMndll ; "MNDLL" 0040154E push 65h 00401550 push eax 00401551 mov [ebp+8], eax 00401554 call ds:FindResourceA 0040155A push eax ;00402048 0040155B mov [ebp-4], eax 0040155E push dword ptr [ebp+8] 00401561 call ds:SizeofResource 00401567 push dword ptr [ebp-4] 0040156A mov [ebp-18h], eax 0040156D push dword ptr [ebp+8] 00401570 call ds:LoadResource 00401576 push eax ;00402070 00401577 call ds:LockResource 0040157D cmp eax, esi 0040157F mov [ebp-4], eax 00401582 jnz short loc_40158E 00401584 push dword ptr [ebp-10h] 00401587 call edi ; CloseHandle 00401589 jmp loc_4016C6 The code here is clear, after enstablishing the System Directory, searches for a Resource type "MNDLL" and next loads it, the LoadResource give us an intersing location 00402070, that's an executable image, exploring this executable we can see some intersing strings http://www.poptang.com/ekey.Bind ConfigAreaName game.ini SOFTWARE\Wizet\MapleStory 004015A6 add esp, 0Ch 004015A9 lea edx, [ebp-428h] 004015AF lea ecx, [ebp-11Ch] 004015B5 call ScansFor ;call sub_40176F (searches for csavpw0.dll) 004015BA lea edx, [ebp-324h] ; SystemDirectory 004015C0 lea ecx, [ebp-11Ch] ; csavpw0.dll 004015C6 call sub_40174A 004015CB lea eax, [ebp-11Ch] 004015D1 push eax 004015D2 call ds:DeleteFileA 004015D8 push esi 004015D9 push 80h 004015DE push 2 004015E0 push esi 004015E1 push esi 004015E2 lea eax, [ebp-11Ch] 004015E8 push 40000000h 004015ED push eax 004015EE call ds:CreateFileA 004015F4 cmp eax, 0FFFFFFFFh 004015F7 mov [ebp-14h], eax 004015FA jnz short loc_401605 004015FC inc dword ptr [ebp+8] 004015FF cmp dword ptr [ebp+8], 0Ah 00401603 jb short loc_401591 ;Go to the next cycle If there is another csavpw0.dll, is firstly deleted and next recreated, if creation fails is performed the same routine for csavpw1.dll, csavpw2.dll. In my case csavpw2.dll is founded 00401608 push esi 00401609 push ecx 0040160A push dword ptr [ebp-18h] ; Size: 4C00 0040160D push dword ptr [ebp-4] ; Buffer: 00402070 00401610 push eax 00401611 call ds:WriteFile 0040161A call CloseHandle 0040161C push ebx 0040161D call ds:Sleep 00401623 lea ecx, [ebp-11Ch] ;C:\WINDOWS\system32\csavpw2.dll csavpw2.dll is filled up with the Founded Resource. 00401630 push ebx 00401631 lea eax, [ebp-220h] 00401637 push offset aCzxsderdaksi_0 ; "CZXSDERDAKSIICS_%d" 0040163C push eax 0040163D call ds:wsprintfA 00401643 add esp, 0Ch 00401646 lea eax, [ebp-220h] 0040164C push eax ;CZXSDERDAKSIICS_0 0040164D push esi 0040164E push 1F0003h 00401653 call ds:OpenEventA 00401659 cmp eax, esi 0040165B jz short loc_401666 0040165D push eax 0040165E call CloseHandle 00401660 inc ebx 00401661 cmp ebx, 0Ah 00401664 jb short loc_401630 As usual it searches for CZXSDERDAKSIICS_0, CZXSDERDAKSIICS_1, CZXSDERDAKSIICS_2 when the OpenEvent FAILS we have this 0040166C push 104h 00401671 push eax 00401672 push esi 00401673 call ds:GetModuleFileNameA 00401679 lea eax, [ebp-220h] ;CZXSDERDAKSIICS_2 0040167F lea edx, [ebp-52Ch] ;Path of our virus executable 00401685 push eax ;CZXSDERDAKSIICS_2 00401686 lea eax, [ebp-11Ch] 0040168C push eax ;C:\WINDOWS\system32\csavpw2.dll 0040168D mov ecx, offset a8dfa290443ae89 ; "{8DFA2904-43AE-8929-9664-4347554D24B6}" 00401692 call sub_40124E -> call sub_40124E Creates a RegKey in HKEY_CLASSES_ROOT with SubKey CLSID\{8DFA2904-97C43AE-8929-9664-4347554D24B6} and setted some values as "ExeModuleName", "DllModuleName", "SobjEventName" 004016B5 push eax ; csavpw2.dll 004016B6 call edi ; LoadLibraryA 004016B8 push esi 004016B9 call ds:ExitProcess 004016BF push eax 004016C0 call ds:CloseHandle .:: Trojan Removal ::. 1) Delete the Trojan file: csavpw0/1/2/etc.dll ) Delete the following CLSID CLSID\{8DFA2904-97C43AE-8929-9664-4347554D24B6}