| Malware name | Trojan.PSW.OnLin.aklo.2 | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 56F4E7F769904BCB7E7705570BF8C880 | | Static file | no | | Filesize | 11,264 Bytes | Alias names
(also known as) | | Sophos | Mal/Generic-A | | McAfee | PWS-OnlineGames.bp | | CA ETrust | Win32/Treemz!generic |
| | Side effects | - Drops a malicious file
- Registry modification
- Steals information
| | Propagation | No own spreading routine |
|
Description:
Files
It copies itself to the following location:
• %SYSDIR%\tmdkcok.exe
It deletes the initially executed copy of itself.
The following file is created:
– %SYSDIR%\tmdkco.dll Further investigation pointed out that this file is malware, too. Detected as: Trojan.PSW.OnLin.aklo.2
Registry
The following registry key is changed:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
New value:
• AppInit_DLLs = tmdkco.dll
Stealing
It tries to steal the following information:
– The password from the following program:
•
%chinese text% File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
