Trojan Behavior
- hidden autorun.inf file on the root of your system (usually C:\autorun.inf)
- creates a hidden executable file on the same folder location as the autorun.inf, pointed in the autorun.inf by an open statement
- creates a hidden Link Library file and a hidden executable file in your temporary folder (located in your [LocalSettingsFolder], i.e it could be in C:\Documents and Settings\username\Local Settings\Temp)
Trojan Technical Description
it is one of the most spreading online-games password stealer malware "families" out-there.
Upon execution, it creates autorun.inf files pointing to copies of itself, making sure it can survive after a system restart. These files will be located on root of the local drives of an affected system.
It creates another copy of itself into the temporary folder of the current user, where it also drops a new dll file which implements all the functionality required for stealing passwords related to MapleStory, The Lord Of The Rings Online, Knight Online, Dekaron or other games. The newly created copy will be registered for running at the system start-up by a new entry created under HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run (named cdoosoft, having the path of the file as its value). At this point, the original infected file deletes itself from the disk, removing its traces.
The .dll file from the temp folder will then be written into the memory space of the explorer.exe process and executed. The malicious code injected into explorer.exe is responsable for setting the hooks needed for stealing passwords and also for further propagation by periodical (two times a minute) creation of autorun.inf files (and of the associated executable files) in the root folder of the local partitions.
Categories:
Trojan