Continued from our last post — Virus Encyclopedia vol. 1I.
This is a low or medium-intensity damaging Trojan horse that was first discovered on June 21, 2010 when it affected computers worldwide. This Trojan has been designed to steal private data and information, most importantly login information for a number of online games as mentioned below.
- Maple Story
- Cabal Online
- Dungeon fighter and others.
The malware first enters into the PC and get itself settled at the following location:
“user’s documents and settings>\Local Settings\Temp\dsoqq.exe.”
Like any other malware it sets an autorun of its copy by adding a value named as “dso32″ to the below mentioned registry key.
This online game Trojan also leaves a ‘.dll’ file at the same place and names it as dsoqq.exe.
After doing the above mentioned things it begins the execution of malicious codes via the explorer.exe process. Now the Explorer starts creating an autorun.inf file after nearly every minute on all the drives of the PC. It points out to another exe with a random name which is nothing but another copy of the malware. It permits the malware to travel across various parts of the system via removable drives.
Once detected, it needs to be removed immediately. To prevent this online gaming Trojan and other associated threats you must protect your PC with effective antivirus program.
Win32.Worm.Killav.PDO is a low or medium-intensity online threat which was first discovered on May 05, 2010.
This is a dreadful computer worm that can compromise the PC security significantly. It renders the PC security inactive that allows threats to creep in without letting users know about it. It affects PCs in a bizarre way by terminating all the processes being run by security tools such as antivirus software and firewall for maintaining the PC security. Once the worm disables the PC security the computer becomes defenseless from other types of malware. This worm is also capable of deleting the executables that correspond to the security programs and makes sure that the antivirus program will be able to run even after it is reinstalled by the user.
Being a DLL, the Win32.Worm.KillAV.PDO can begin its malicious actions only if it is loaded into explorer.exe or 360safe.exe.
Once executed it can create a drive in “%WinDir%\sysmtem\pcii.sys” and register it as a service.
Once detected, the user needs to remove it on high priority to prevent its damaging moves. Because this worm can render the security programs ineffective, so even installing antivirus software would not help.
Trojan.Dropper.Oficla.O is a medium-intensity threat that was first discovered on May 05, 2010. It is mainly detected through various notifications that say that the system has been infected.
Most of the time, Trojan.Dropper.Oficla.O enters into your PC via an e-mail attachment which is labeled with a spurious MS Office Word Document icon to befool the user.
The moment user downloads the attachment and runs the malicious code hidden therein, the Trojan leaves a dll file in “%temp%” folder and then copies the file in the “%system%” created with a random name. In a bid to ensure that the dll file will be active with each PC boot up, it also adds the following registry key.
Now the dll gets injected in a svchost.ext process before the Trojan get itself deleted to remove its traces.