WORM_ONLINEG.DJO

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This worm may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

Upon execution, this worm drops several files, which Trend Micro detects as WORM_ONLINEG.DJO and TSPY_ONLINEG.FUI.

This worm creates a registry entry to enable its automatic execution at every system startup.

The dropped .DLL component is then injected as thread into running processes, particularly EXPLORER.EXE, for it to remain memory-resident. This makes it difficult to terminate. The dropped .DLL component also serves as the information-theft and propagation component.

This worm drops copies of itself in all physical and removable drives. It also drops an AUTORUN.INF file to automatically execute its dropped copies when the said drives are accessed.

This worm steals sensitive information, such as user names and passwords, related to certain online games. It monitors the processes to steal sensitive information, such as user names and passwords, related to these games.

This worm accesses URLs to download an updated version of itself.

It then executes the downloaded files. As a result, new behaviors of this worm may be exhibited on the affected system. It also adds a registry key and entry to record its latest version.

Related Items