Method of Infection
When executed, Win32/Windage.A drops two files, a copy of itself as "
windf.exe" plus the malicious DLL "
windf.hlp", to
%System%\drivers. It injects the DLL file into several running processes, in an attempt to hide its presence on the affected system.
The trojan also creates the following registry entry in order to execute itself at every startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\DF = "%System%\drivers\windf.exe"
Note: %System% is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; for XP and Vista is C:\Windows\System32.
Back to top
Payload
Steals Sensitive Information
Win32/Windage.A attempts to steal log-in credentials for online games such as:
Dungeon & Fighter
Hangame
Lineage II
MapleStory
Prison Tale 2
It sends the gathered information to a remote server on the www.llsoo.com domain.
Terminates Process
The trojan attempts to terminate the process "AVP.EXE" if it is running on the compromised machine.
Analysis by Ricardo Robielos III
Back to top