PWS:Win32/OnlineGames.ZDR is a generic detection for a password-stealing trojan.
Installation
PWS:Win32/OnlineGames.ZDR may arrive in a system with a variety of file names. Some of the file names it has been known to use are the following:
- <system folder>\azzxaime.exe
- <system folder>\spjhahlp.exe
- <system folder>\aitlasys.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also drops a DLL file in the system, which is also identified as PWS:Win32/OnlineGames.ZDR. The dropped DLL file may have the following file names:
- <system folder>\zyzxjime.dll
- <system folder>\ptjhehlp.dll
- <system folder>\zptlcsys.dll
The dropped DLL file is then injected into the "explorer.exe" process and is also registered as a Browser Helper Object (BHO) by adding registry entries, for example:
For the DLL file "zyzxjime.dll":
Adds value: "(default)"
With data: "<system folder>\zyzxjime.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32
Adds value: "{AA59145F-315D-BC23-AC1F-145DF81A34AA}"
With data: "zyzxjime.dll"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
Adds value: "(default)"
With data: "zyzxjime.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA59145F-315D-BC23-AC1F-145DF81A34AA}
For the DLL file "ptjhehlp.dll":
Adds value: "(default)"
With data: "<system folder>\ptjhehlp.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{528DF602-9541-A985-210A-984A698C6F25}\InprocServer32
Adds value: "{528DF602-9541-A985-210A-984A698C6F25}"
With data: "ptjhehlp.dll"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
Adds value: "(default)"
With data: "ptjhehlp.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{528DF602-9541-A985-210A-984A698C6F25}
For the DLL file "zptlcsys.dll":
Adds value: "(default)"
With data: "<system folder>\zptlcsys.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{50940F85-F015-14F1-A05F-F69858AC6D05}\InprocServer32
Adds value: "{50940F85-F015-14F1-A05F-F69858AC6D05}"
With data: "zptlcsys.dll"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
Adds value: "(default)"
With data: "zptlcsys.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{50940F85-F015-14F1-A05F-F69858AC6D05}
PWS:Win32/OnlineGames.ZDR also drops a SYS file and a BAT file into the system. The BAT file is used to delete the originally running copy of this trojan. Some of the SYS and BAT file names it is known to use are the following:
- <system folder>\fstlbsys.sys
- <system folder>\fxzxbime.sys
- <system folder>\pmjhbhlp.sys
- %TEMP%\~dfd126902.bat
- %TEMP%\~dfd159960.bat
- %TEMP%\~dfd184615.bat
Payload
Downloads Arbitrary Files
PWS:Win32/OnlineGames.ZDR connects to various websites to download files. These files may be other malware or updated versions of itself.
Steal Sensitive Data
PWS:Win32/OnlineGames.ZDR may log user keystrokes and steal user information, such as passwords to popular online games. The information is sent to remote servers.
Analysis by Iulian Mihai