Home Malware Programs Trojans Wowcraft.b

Wowcraft.b

Posted: March 28, 2006

Wowcraf.b is a trojan designed to steal passwords used in popular PC game "World of Warcraft" and send them to its author by e-mail. It also can record user keystrokes, terminate running antvirus applications and kill security-related processes.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 1.com
    2 command.pif
    3 debugprogram.exe
    4 dxdiag.com
    5 exeroute.exe
    6 explorer.com
    7 finder.com
    8 iexplore.com
    9 iexplore.pif
    10 msconfig.com
    11 msconfig.sys
    12 regedit.com
    13 rundll32.com
    14 smss.exe

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{RegistryKeys}Briefcase_Create%2!d!%1Control_RunDLL%1DefaultInstall132%1FileProtocolHandler%1GenerateTypeLib%1HKEY_CLASSES_ROOT.bfcShellNewCcommand=%System%HKEY_CLASSES_ROOT.exe(Default)=winfilesHKEY_CLASSES_ROOT.lnkShellNewCommand=rundll32.comappwiz.cplHKEY_CLASSES_ROOTInternetShortcutShellOpenCommand(Default)=finder.comshdocvw.dllHKEY_CLASSES_ROOTUnknownShellOpenAsCommand(Default)=%System%finder.com%System%shell32.dllHKEY_CLASSES_ROOTcplfileShellcplopenCommand(Default)=rundll32.comshell32.dllHKEY_CLASSES_ROOTdunfileShellOpenCommand(Default)=%System%HKEY_CLASSES_ROOTelnetShellOpenCommand(Default)=finder.comurl.dllHKEY_CLASSES_ROOTfileShellOpenCommand(Default)=rundll32.comurl.dllHKEY_CLASSES_ROOThtmlfileShellOpenNewCommand(Default)=C:ProgramFilesCommonFilesiexplore.pifHKEY_CLASSES_ROOThttpShellOpenCommand(Default)=C:ProgramFilesCommonFilesiexplore.pif-nohomeHKEY_CLASSES_ROOTinffileShellInstallCommand(Default)=%System%HKEY_CLASSES_ROOTscrfileShellInstallCommand(Default)=finder.comdesk.cplHKEY_CLASSES_ROOTscriptletfileShellGenerateTypelibCommand(Default)=%System%finder.com%System%scrobj.dllHKEY_CLASSES_ROOTwinfilesShellOpenCommand(Default)=%Windir%exeroute.exe%1%*HKEY_LOCAL_MACHINESOFTWAREClassesApplicationsiexplore.exeShellOpenCommand(Default)=C:ProgramFilesInternetExploreriexplore.com%1HKEY_LOCAL_MACHINESOFTWAREClassesDriveShellFindCommand(Default)=%Windir%explorer.comHKEY_LOCAL_MACHINESOFTWAREClassesInternetShortcutShellOpenCommand(Default)=finder.comshdocvw.dllHKEY_LOCAL_MACHINESOFTWAREClassesUnknownShellOpenasCommand(Default)=%System%finder.com%System%shell32.dllHKEY_LOCAL_MACHINESOFTWAREClassesdunfileShellOpenCommand(Default)=%System%HKEY_LOCAL_MACHINESOFTWAREClassesftpShellOpenCommand(Default)=C:ProgramFilesInternetExploreriexplore.com%1HKEY_LOCAL_MACHINESOFTWAREClasseshttpShellOpenCommand(Default)=C:ProgramFilesCommonFilesiexplore.pif-nohomeHKEY_LOCAL_MACHINESOFTWAREClassesinffileShellInstallCommand(Default)=%System%HKEY_LOCAL_MACHINESOFTWAREClassesscrfileShellInstallCommand(Default)=finder.comdesk.cplHKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetiexplore.pifShellOpenCommand(Default)=C:ProgramFilesCommonFilesiexplore.pifHKEY_LOCAL_MACHINESOFTWAREMicrosoftSharedToolsMSInfoToolSetsMSInfohdwwizcommand=%System%command.pifHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServicesorjanprogram=%Windir%smss.exeHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunorjanprogram=%Windir%smss.exeHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonShell=explorer.exe1InstallHinfSectionInstallHinfSectionDefaultInstall132%1InstallScreenSaver%lInvokeDunFile%1NewLinkHere%1OpenAs_RunDLL%1OpenURL%lTelnetProtocolHandler%lundll32.com%System%syncui.dllundll32.comnetshell.dllundll32.comsetupapi
Loading...