Threat behavior
Win32/Tilcun is a family of trojans that steals online game passwords and sends this captured data to remote sites.
Installation
When executed, Trojan:Win32/Tilcun drops a DLL to the System folder using a variant-specific filename (for example, one variant drops the file <system folder>\wrqszl.dll). It then drops another file, <system folder>\winsys.reg and uses it to modify the registry to load the DLL at each Windows start:
Adds value: “0”
With data: "{<clsid>}"
To subkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS
Add value: <dll filename>
With data “(default)”
To subkey: HKLM\SOFTWARE\Classes\CLSID\<clsid>\INPROCSERVER32
where <clsid> is a hex string for the CLSID and <dll filename> is the filename of the dropped DLL mentioned above.
For example:
Adds value: "(default)"
With data: "<system folder>\wrqszl.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{F99DEFDD-200B-4410-B572-E90883D527D2}\INPROCSERVER32
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Payload
Steals Online Game Passwords
Win32/Tilcun sets up hooks in order to capture login information for popular online games. It then sends the captured data to a remote site.
Analysis by Chun Feng
Prevention
