Trojan.Rohoteng

[TJ]

Trojan.Rohoteng is a Trojan horse that attempts to steal confidential information related to online games running on the compromised computer. It then attempts to send this information to predetermined Web sites.

When Trojan.Rohoteng is executed, it performs the following actions:

   1. Creates the following mutex, so that only one copy of the Trojan runs on the compromised computer at one time:

      ONLY_MUTEX_sg2008_ro_hot_Gen

   2. Adds the value:

      "reseurce" = "[PATH TO TROJAN FILE]"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   3. Checks the titles of all open windows on the compromised computer, to check if the titles match one of the following strings:

          * Ragnarok
          * ODINGAME_ONLINE

            Note: If the title of an open window matches one of these strings, the Trojan attempts to steal information about the process associated with that window.

   4. Attempts to send this information to the following Web sites:

          * [http://]www.lineage0.com/[REMOVED]/3guo.asp
          * [http://]www.lineage0.com/[REMOVED]/ro.asp
          * [http://]www.lineage0.com/[REMOVED]/hot.asp


REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/trojan.rohoteng.html


To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "reseurce" = "[PATH TO TROJAN FILE]"

   6. Exit the Registry Editor.