virus logo Virus

W32/OnLineGames.MJJ!tr.pws

description-logoAnalysis

  • Deletes itself from the current folder.

  • Adds the following registry:
    • key:SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    • value:MsIMMs32
    • data: undefinedwindowsundefined\MsIMMs32.exe
  • Drops the file MsIMMs32.exe  into the Windows folder.

  • Drops the file MsIMMs32.dll  into the System folder, then injects it into the process of explorer.exe.

  • Searches for the client window of PoTianYiJian, then steals the accounts and passwords of this online software.

  • The stolen information is sent to the following URL:
      • http://www.{REMOVED}.com/xinpotian/lin.asp

    recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    Extreme
    FortiClient
    Extended
    FortiMail
    Extended
    FortiSandbox
    Extended
    FortiWeb
    Extended
    Web Application Firewall
    Extended
    FortiIsolator
    Extended
    FortiDeceptor
    Extended
    FortiEDR
    ID 411454
    Released Dec 31, 2007
    Description
    Updated    		 Jan 07, 2008
    Aliases Trojan-PSW.Win32.OnLineGames.mjl, a variant of Win32/PSW.OnLineGames.NFL, W32/OnLineGames.MJJ!tr.pws, Win32.OnLineGames.mj, TrojanPSW.OnLineGames.mjl.OnlineGames.ZDM, Win32:OnLineGames-BCD, TR/PSW.OnlineGames.mjl
    Platform Profile Win32 file format / PE 32 bit
    Profile Type Trojan Password Stealing (tr.pws)