Virus Characteristics
“Generic PWS.GN” is a Trojan that spreads by copying itself to removable drives in order to steal login and account details for popular online games.
Upon execution the Trojan tries to connect the below URL through remote port 53
www.yah[Removed]3.com
The Trojan copies of itself into the below location
- %Temp%\4tddfwq0.dll
- %Temp%\xvassdf.exe
- %Systemdrive%\dsb0.exe
- : [RemovableDrive]\dsb0.exe
- : [RemovableDrive]\autorun.inf
- %Systemdrive%\autorun.inf
And drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.
The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
The autorun.inf is configured to launch the Trojan file via the following command syntax.
[AutoRun]
open=dsb0.exe
shell\open\Command=dsb0.exe
The following registry values have been added to the system.
HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\54dfsger: " %Temp% \xvassdf.exe"
The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.
The following registry values have been modified to the system
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
CheckedValue: 0x00000001
CheckedValue: 0x00000000
HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden: 0x00000001
Hidden: 0x00000002
HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden: 0x00000001
ShowSuperHidden: 0x00000000
The above mentioned registry ensures that, the Trojan hides’ files.