One of the highest hitting worms that ThreatFire encountered over the past week is a worm designed to target online game player logins by dropping a password stealer and rootkit components on infected systems. We previously blogged about the help.exe component that drops rkd.dll, amvo0.dll and amvo.exe, and now we observe many more variants that are repacked with some fairly sophisticated packer and code perversion technology.
The password stealers themselves are updated on various websites that we have observed moving locations throughout China, repacked for AV and emulation evasion purposes. We also see ongoing server side polymorphism with the dropper.
The executables all display very unusual static PE characteristics. First, the import directory contains the name of one dll (kernel32) and imports only three of its functions (LoadLibraryA, GetProcAddress, ExitProcess), the bare bones minimum that you need for a PE packer:
All of the section names are mangled, to further raise our suspicion:
And finally, the resource section is huge and unrecognizable to a simple resource section parser (hint — it contains more executable code):
Unfortunately, effectively this incessant rate of change results in a low rate of AV scanner detection:
If you are seeing a popup like this one, go ahead and quarantine the thing: