“Generic PWS.GN” is a Trojan that spreads by copying itself to removable drives in order to steal login and account details for popular online games.
Upon execution the Trojan tries to connect the below URL through remote port 53
The Trojan copies of itself into the below location
- : [RemovableDrive]\dsb0.exe
- : [RemovableDrive]\autorun.inf
And drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.
The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
The autorun.inf is configured to launch the Trojan file via the following command syntax.
The following registry values have been added to the system.
HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\54dfsger: " %Temp% \xvassdf.exe"
The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.
The following registry values have been modified to the system
The above mentioned registry ensures that, the Trojan hides’ files.