McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Generic PWS.at

This page shows details and results of our analysis on the malware Generic PWS.at

Threat Detail

Malware Type: Trojan

Malware Sub-type: Password

Discovery Date: 2009-03-30

Next Steps:

Overview

This is detection for many non-descript password stealing trojans.

 


Minimum DAT

5569 (2009-03-30)

Updated DAT

5916 (2010-03-10)

 Minimum Engine

5.2.00

File Length

Varies

 Description Added

2009-03-30

Description Modified

2009-05-12

Malware Proliferation

Characteristics

This is generic detection for certain variants of password stealing Trojans. A generic description for password stealing Trojans is available here - http://vil.nai.com/vil/content/v_100100.htm

Samples for this variant have exhibited the following characteristics upon analyzation:

The following registry keys are added upon execution:

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{58C8F03F-3804-18B4-9CE7-28767D4B479A}
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider

The malware hooks into the 'Winlogon' process via the following registry modification:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" Data: [Path to userinit.exe], %Windir%\system32\sdra64.exe,

 

It also sets the following registry value:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

         EnableFirewall = 0

 

 The following directory is created:

  • %windir%\system32\lowsec

The following files are created:

  • %windir%\system32\sdra64.exe
  • %windir%\system32\lowsec\local.ds
  • %windir%\system32\lowsec\user.ds


Contact is attempted with the following domains:

  • hxxp://fack[removed].com
  • hxxp://fir[removed].com
  • hxxp://thev[removed].com
  • hxxp://gauhan[removed].com (During the time of testing, this website did not appear to be active)

Symptoms

  • Presence of the aforementioned Registry key(s)
  • Network connections to the aforementioned domain(s)
  • Presence of the aforementioned file(s)

Method of Infection

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

United States - English