McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• PWS-IN

Characteristics

The entry for PWS-WMPatch was added to detect a 36.864 bytes 32-Bit PE file called sysman32.exe. The file is written in MSVC++ and is compressed using PE-Pack.

It may arrive in a spoofed e-mail suggesting it came from support@yahoo.com, pretending to be a software patch for PayPal/WebMoney software.

Upon running the file, it displays no visible output. It is however visible in the windows task manager process list.

The trojan looks for cached passwords and tries to send an e-mail to a specific e-mail address in the Czech Republic by connecting to an specific IP address - which doesn't seem to be active at the time of writing.

This trojan is detected heuristically with current Dats (version 4254) as New Backdoor1 variant. Specific detection will be included in Dats version 4255.

Symptoms

-Presence of 36.864 bytes 32-Bit PE file called sysman32.exe

Method of Infection

It may arrive in a spoofed e-mail message. Running the attachment initializes it.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• PWS-IN

Characteristics

Characteristics -

The entry for PWS-WMPatch was added to detect a 36.864 bytes 32-Bit PE file called sysman32.exe. The file is written in MSVC++ and is compressed using PE-Pack.

It may arrive in a spoofed e-mail suggesting it came from support@yahoo.com, pretending to be a software patch for PayPal/WebMoney software.

Upon running the file, it displays no visible output. It is however visible in the windows task manager process list.

The trojan looks for cached passwords and tries to send an e-mail to a specific e-mail address in the Czech Republic by connecting to an specific IP address - which doesn't seem to be active at the time of writing.

This trojan is detected heuristically with current Dats (version 4254) as New Backdoor1 variant. Specific detection will be included in Dats version 4255.

Symptoms

Symptoms -

-Presence of 36.864 bytes 32-Bit PE file called sysman32.exe

Method of Infection

Method of Infection -

It may arrive in a spoofed e-mail message. Running the attachment initializes it.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A