Summary

W32/Frethog is an information stealing trojan, which specifically steals information related to online games and sends it to the remote server

Spreading description

On execution, W32/Frethog malware creates  a copy of  itself with a random name under the %WINDIR% or %SYSTEM% or %TEMP%  folders, dependent on the variant. It creates  .dll files with random names under the %SYSTEM%  folder, which is then injected into the legitimate Windows process explorer.exe. The code checks whether any online games like World of Warcraft, Gamania etc. is running on the infected system.  It uses different runtime packers to reduce detection rate. It also creates a value, which varies dependent on the variant, under the key “RUN” in order to execute the spy on every startup of Windows. Some variants of W32/Frethog may create autorun.inf  file in order to execute the malware whenever the drive is viewed.

The payload differs dependent on the variant of the W32/Frethog.

Removal

Norman’s antivirus products are in general able to remove all malicious software that is detected.

Some malware variants, however, use techniques that the general product does not remove sufficiently. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below if your Norman antivirus is unable to clean the infection.
http://www.norman.com/support/support_tools/58732/en

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.