Content
Generic PWS
- Type
- Trojan
- SubType
- Password
- Discovery Date
- Length
- N/A
- Minimum DAT
- N/A (11/30/2011)
- Updated DAT
- 6546 (11/30/2011)
- Minimum Engine
- 5.1.00
- Description Added
- 03/05/2003
- Description Modified
- 01/29/2006 8:53 PM (PT)
Tab Navigation
Characteristics
This detection covers multiple nondescript password-stealing trojans - typically one-off creations that have been received by AVERT.
The trojans may steal various passwords from the victim machine, including:
- local system username/password
- domain username/password
- MAPI username/password
- AOL or MSN username/password
- Passwords for other miscellaneous software (applications or games)
Typical methods to steal passwords from the victim machine include querying cached passwords, querying system Registry, targetting specific system files (e.g. PWL files on Win9x), faking login screen etc. etc. Once retrieved, the password(s) may be sent to the hacker in multiple ways: by mail, via HTTP (port 80), by FTP etc.
Symptoms
Specific indications may vary between different password stealing trojans, but typically the trojan will hook system startup via a Registry key, or a modification to WIN.INI or SYSTEM.INI.
Method of Infection
The trojan may be received from any of many sources. For example via email, IRC, P2P file-sharing network, newsgroup or download.
Removal
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
1. Please go to the Microsoft Recovery Console and restore a clean MBR.
On windows XP:
Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
- Generic PWS.a
- Generic PWS.b
- Generic PWS.c
- Generic PWS.d
- Generic PWS.e
- Generic PWS.n
Characteristics
Characteristics -
This detection covers multiple nondescript password-stealing trojans - typically one-off creations that have been received by AVERT.
The trojans may steal various passwords from the victim machine, including:
- local system username/password
- domain username/password
- MAPI username/password
- AOL or MSN username/password
- Passwords for other miscellaneous software (applications or games)
Typical methods to steal passwords from the victim machine include querying cached passwords, querying system Registry, targetting specific system files (e.g. PWL files on Win9x), faking login screen etc. etc. Once retrieved, the password(s) may be sent to the hacker in multiple ways: by mail, via HTTP (port 80), by FTP etc.
Symptoms
Symptoms -
Specific indications may vary between different password stealing trojans, but typically the trojan will hook system startup via a Registry key, or a modification to WIN.INI or SYSTEM.INI.
Method of Infection
Method of Infection -
The trojan may be received from any of many sources. For example via email, IRC, P2P file-sharing network, newsgroup or download.
Removal -
Removal -
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
1. Please go to the Microsoft Recovery Console and restore a clean MBR.
On windows XP:
Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Variants
Variants -
N/A