;Template Description for Analyst: ;AnalystName: Enter your complete name ;AnalystEMailID: EMail ID of analyst ;Team: Specify team you belong to China, India, Romania or Ukraine ;Date: Define date in dd-mmm-yyy format, when you write or update this description, i.e. 10-JAN-2010 ;Type: This should come from malware name, like for Virus.Win32.Virut, Type is Virus ;Platform: This is always fixed as Win32 as of now ;Family: As this description belongs to ;Variant: If you are writing for a specific variant in a family, mention so, like Virus.Win32.Virut.CE ;OVERVIEW: Give a brief overview of malware behavior ;TECHNICAL_DESCRIPTION: Give complete technical description ;SYMPTOMPS: In case system is infected with malware and there are any visible symptomps, which can be identified by end user, mention so, if any ;DISINFECTION: If there are manual steps which user can use to remove malware, like remove certain registry entries or files, should be mentioned here. ; ;http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782790 link's "Removal instructions" can be good example. ;Here are few example links, where other vendors have published information in various ;http://www.symantec.com/security_response/writeup.jsp?docid=2009-020411-2802-99 ;http://www.f-secure.com/v-descs/virus_w32_virut.shtml ;http://vil.nai.com/vil/content/v_154029.htm ;http://www.avast.com/eng/win32beagle.html ;http://free.avg.com/ww-en/66558 ;http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782790 ;This ini file should be filled for every major variant and be attached to related ticket in trac [INFO] AnalystName=Vaishnavi.V.K AnalystEMailID=vaishnavik@yahoo.com Team=India Date=31-MAR-2010 Type=TrojWare Platform=Win32 Subtype= Family=Pincav Variant=A [OVERVIEW] It is a trojan program which steals user login information ,mostly targeted for popular online gaming websites. [TECHNICAL_DESCRIPTION] Regisrty keys Modified: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe," HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,ofeab.exe" Files added: C:\WINDOWS\system32\ofeab.exe It is steals password for the following online gaming websites,when the user visits them https://www.worldofwarcraft.com/login/login http://www.nexon.com http://id.hangame.com/login/loginerr.jsp http://id.hangame.com http://maplestory.nexon.com http://df.nexon.com/?go=home|intro http://yulgang.mgame.com http://www.gersang.co.kr\ http://itemmall.gersang.co.kr\ http://r2.hangame.com http://12sky2.paran.com http://sp1.nexon.com http://aion.plaync.co.kr https://login.plaync.co.kr http://game4.netmarble.net/prius/main.asp https://login.yahoo.co.jp https://member.gungho.jp/front/guest/login.aspx http://arad.hangame.co.jp https://login.live.com http://sns.atfb.jp http://www.hatena.ne.jp/login https://www.hatena.ne.jp/login https://login.mail.goo.ne.jp https://www.google.com https://sec.excite.co.jp http://www.exblog.jp https://www.yaplog.jp http://mixi.jp https://mixi.jp https://secure.nicovideo.jp http://peevee.tv/login.jspx https://secure.id.fc2.com http://member.livedoor.com/login https://member.livedoor.com/login.atwiki.jp/ https://login.yahoo.com/config/login?.intl=tw http://tw.yahoo.com https://tw.gash.gamania.com/gashlogin.aspx https://tw.gash.gamania.com/updatemainaccountpassword.aspx [SYMPTOMS] [DISINFECTION] Edit the following value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,ofeab.exe" as HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe"