Virus Reporter - World of Warcraft and Wowpa Trojan
The Wowpa Trojan can cause harm and annoyance to World of Warcraft fans as it tries to obtain the passwords for this game.
A Wow Trojan's main goal is to spy on the confidential data of World of Warcraft fans. Accordingly, it makes changes to the system that allow it to log keystrokes. The Trojan is activated when the text "World of Warcraft" appears in the address bar of the window that opens or when a wow.exe process is started on the infected system.
In addition to confidential data from the World of Warcraft, the Wowpa Trojan diligently collects system information, which may include:
- IP address and hostname,
- game server name,
- various game-related information.
The Trojan can also download additional malicious files over the Internet.
When the Wowpa Trojan starts, it performs the following actions:
- Create the following files:
% System% \ Launcher.exe
% System% \ SVCH0ST.EXE
% System% \ Server.exe
% Windows% \ Help \ MSpass.exe
% System% \ mywow.dll
% System% \ fsmgmt.dll
% Temp% \ WowInitcode.dll
% Temp% \ WowInitcode.dat
% System% \ BhoPlugin.dll
% System% \ WinHel.dll
% Windows% \ Help \ MShook.dll - The following entries are added to the registration database:
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run \ wow
= “%System%\Launcher.exe”
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ Systems32 =
“%System%\Server.exe”
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ MShelp =
“RUNDLL32.EXE %Windows%\BhoPlugin.dll,Install”
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ ManagerHLP =
“RUNDLL32.EXE C:\WINDOWS\system32\WinHel.dll,Install” - Modify the following values in the registry:
HKLM \ System \ CurrentControlSet \ Services \ MSmassacre \ ImagePath =
“%Windows%\help\MSpass.exe”
HKLM\System\CurrentControlSet\Services\MSmassacre\ObjectName = “LocalSystem”
HKLM\System\CurrentControlSet\Services\MSmassacre\Description = “mos”
HKLM\System\CurrentControlSet\Services\MSmassacre\DisplayName = “MS Massacre”
HKLM \ System \ CurrentControlSet \ Services \ MSmassacre \ Enum \
0 “Root\LEGACY_MSMASSACRE\0000”
HKLM \ System \ CurrentControlSet \ Services \ MSmassacre \ ErrorControl = 0x0
HKLM \ System \ CurrentControlSet \ Services \ MSmassacre \ Enum \ Count = 0x1
HKLM \ System \ CurrentControlSet \ Services \ MSmassacre \ Enum \ NextInstance = 0x1
HKLM \ System \ CurrentControlSet \ Services \ MSmassacre \ Start = 0x2 - Attempting to obtain user information related to the game World of Warcraft. To do this, it constantly monitors the user's activity and watches for any window that has the title "World of Warcraft" or belongs to the wow.exe process.
- Log keystrokes.
- Collects system information.
- It downloads a malicious file from the Internet and then saves it as follows:
% Temp% \ wowupdate.exe
