(Trojan-GameThief.Win32.OnLineGames.tpnr, PWS-Mmorpg.gen trojan, TR/Agent.14336.49, Trojan.Siggen.337
If you have at least one of the following files on your computer, you are infected:
%windir%\system32\system.exe (size: 7,5KB)
%windir%\system32\drivers\hbkernel32.sys (size: 17,6KB)
(where %windir% stands for c:\windows of c:\winnt, depending on the operating system)
Instruções para remoção:
Please let BitDefender delete your infected files.
Boeriu Laura, virus researcher
The malware drops the following files:
- this .dll will be injected in all the running processes and it will try to steal sensitive information, such as user accounts and passwords for the Tencent QQ instant messaging program
- a service named HBKernel32 will be created and will be started at every system startup
- will set the registry key:
ImagePath -> %windir%\system32\drivers\HBKernel32.sys
- the NTSetValueKey entry in the System Service Descriptor Table will be hooked to point to code from this file
4) c:\documents and settings\%user_name%\local settings\temp\selfdel.bat
- this is a batch script that will delete the original malware file after it completes its tasks
After dropping these files, the trojan will run system.exe and selfdel.bat.
System.exe will perform the following registry operations:
- will add itself to the registry key to run at every system startup:
HBService32 -> System.exe
- will set
AppInit_DLLs -> HBmhly.dll, HB1000Y.dll, HBWOOOL.dll, HBXY2.dll, HBJXSJ.dll, HBSO2.dll, HBFS2.dll, HBXY3.dll, HBSHQ.dll, HBFY.dll, HBWULIN2.dll, HBW2I.dll, HBKDXY.dll, HBWORLD2.dll, HBASKTAO.dll, HBZHUXIAN.dll, HBWOW.dll, HBZERO.dll, HBBO.dll, HBCONQUER.dll, HBSOUL.dll, HBCHIBI.dll, HBDNF.dll, HBWARLORDS.dll, HBTL.dll, HBPICKCHINA.dll, HBCT.dll, HBGC.dll, HBHM.dll, HBHX2.dll, HBQQHX.dll, HBTW2.dll, HBQQSG.dll, HBQQFFO.dll, HBZT.dll, HBMIR2.dll, HBRXJH.dll, HBYY.dll, HBMXD.dll, HBSQ.dll, HBTJ.dll, HBFHZL.dll, HBWLQX.dll, HBLYFX.dll, HBR2.dll, HBCHD.dll, HBTZ.dll, HBQQXX.dll, HBWD.dll, HBZG.dll, HBPPBL.dll, HBXMJ.dll, HBJTLQ.dll, HBQJSJ.dll
- will remove the entries:
which belong to a Chinese antivirus.
System.exe will be run as a process accessible only from kernel mode. If trying to kill this process with task manager, an error will occur.