Win32/Helpud is a family of trojans that steals online game passwords, as well as acting as a delivery mechanism for additional online game password-stealing malware.
Installation
When executed, Trojan:Win32/Helpud copies itself and drops a DLL to the %windir%\Help directory using randomly generated file names (for example %windir%\help\07ee48aabfd6.dll). The DLL that is dropped may be a variant of many different families of online game password stealing malware.
It then modifies the registry to load the DLL at each Windows start by adding values and data specific to the particular variant to the following subkeys:
Adds value: “0”
With data: "{<clsid>}"
To subkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS
Adds value: <dll filename>
With data “(default)”
To subkey: HKLM\SOFTWARE\Classes\CLSID\<clsid>\INPROCSERVER32
Where <clsid> is a hex string for the CLSID and <dll filename> is the filename of the dropped DLL mentioned above. For example:
Adds value: "(default)"
With data: "%windir%\help\07ee48aabfd6.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{A9579D22-0FD7-4A25-9CF4-976982696DCC}\INPROCSERVER32
Payload
Steals online game passwords
Trojan:Win32/Helpud sets up hooks in order to capture login information for popular online games. It then sends the captured data to a remote site.
The dropped DLL may be one of many different game password stealer families. Examples of known affiliate malware families include the following:
Analysis by Matt McCormack
