TrojanDownloader:Win32/Frethog.C is a variant of a large family of password-stealing trojan that targets confidential account data from Massive Multiplayer Online Role Playing Games (MMORPG) such as World of Warcraft (WoW).
Installation
TrojanDownlaoder:Win32/Frethog.C may be installed by variants of
Worm:Win32/Taterf and is present as a file with a .DLL file extension in the Windows system folder such as one of the following:
Where <number> may be omitted entirely, or be a numeral from 0-9. Once dropped, the dll is injected into explorer.exe or iexplore.exe. Win32/Frethog.C may modify an existing device driver:
<system folder>\drivers\cdaudio.sys - VirTool:WinNT/Vanti
The registry is modified to run VirTool:WinNT/Vanti at Windows start.
Adds value: "DisplayName"
With data: "AVPsys"
To subkey: HKLM\System\CurrentControlSet\Services\AVPsys
Adds value: "ErrorControl"
With data: "1"
To subkey: HKLM\System\CurrentControlSet\Services\AVPsys
Adds value: "ImagePath"
With data: "<system folder>\drivers\cdaudio.sys"
To subkey: HKLM\System\CurrentControlSet\Services\AVPsys
Adds value: "Start"
With data: "3"
To subkey: HKLM\System\CurrentControlSet\Services\AVPsys
Payload
Steals online game data
TrojanDownlaoder:Win32/Frethog.C obtains account information for one or more of the following Massively Multiplayer Online Games and affiliated products:
Rainbow Island
Cabal Online
A Chinese Odyssey
Hao Fang Battle Net
Lineage
Gamania
MapleStory
qqgame
Legend of Mir
World Of Warcraft
The captured details are sent to a remote server.
Downloads other files
TrojanDownloader:Win32/Frethog.C may contact predefined remote websites to download additional files or malware. In the wild, this trojan was observed to connect with one of the following websites:
vgt77.com
csj0o.com
Disables Kaspersky Antivirus
In the wild, this trojan was observed disabling Kaspersky Antivirus by stopping its service and the service associated with updating the Kaspersky security program.
Additional Information
TrojanDownloader:Win32/Frethog.C may store configuration information under one of the following subkeys as registry data:
HKLM\Software\Classes\CLSID\MADOWN
HKLM\Software\Classes\CLSID\NOD32KVBIT
Below is one example of data stored in the registry:
Adds value: "urlinfo"
With data: "144"
To subkey: HKLM\Software\Classes\CLSID\MADOWN
Analysis by Marian Radu
