McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Update: 07/10/2008

A new variant of Generic PWS.o, it captures keystrokes .

Drop the following files :

• %WinDir%\system32\beep.sys
• %WinDir%\system32\ds.dat
• %WinDir%\system32\gwin32.dll
• %WinDir%\system32\swin32.dll
• %WinDir%\randseed.rnd

Delete the following files of the system :

•  %WinDir%\system32\clb.dll
• %WinDir%\system32\clbcatex.dll
• %WinDir%\system32\clbcatq.dll
• %WinDir%\system32\dllcache\clb.dll
• %WinDir%\system32\dllcache\clbcatex.dll
• %WinDir%\system32\dllcache\clbcatq.dll

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Add the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData
• HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\clbdriver.sys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\clbdriver.sys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\clbdriver
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver

--------------------------------------------------------------------------

Update: 05/24/2007

A new variant of Generic PWS.o is being downloaded via malicious URLs. This variant when executed injects a DLL in explorer.exe memory space to download various online game password stealers.

The DLL is dropped in %programfiles%\Internet Explorer folder with the following names:

• BinNice.dll
• HiJack.dll
• RomDrivers.dll

The trojan copies itself in %programfiles%\Internet Explorer folder with following names

• BinNice.bak
• HiJack.bak
• RomDrivers.bak

The trojan attempts to download other online game password stealer trojans from the following malicous URLs. These URLs host exploits like MS06-014 and MS07-017 .

• hxxp://16a.us
• hxxp://7y7.us
• hxxp://ws91.com

Registry changes

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "%programfiles%\Internet Explorer\<DLLNAME>"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{09B68AD9-FF66-3E63-636B-B693E62F6236}:

Update: 04/20/2007
A variant of Generic PWS.o is being downloaded by Generic Downloader.ab. This variant is being injected into Explorer.exe process and tries to communicate with 81.29.241.20 to send captured information to the author.
It will be looking for POP, FTP, IMAP and ICQ passwords.
--------------------------------------------------------------------------

This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via HTTP. Online email and bank account information (username/password) is particularly vulnerable to this threat.

There are several variants of the trojan. The description is for a specific sample.

When run, the trojan copies itself to %Sysdir% directory. The following file names are used:

• MSSVC.EXE 

Itt creates a registry run key to load itself at Windows start up.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "winnsvc" = "msvc.exe"
  

Symptoms

Update: 04/20/2007Since another variant of Generic PWS.o is being injected into Explorer.exe, you may notice this process trying to communicate with 81.29.241.20 trying to post information captured.
------------------------------------------------------------------------------------

Existence of files and registry keys mentioned above.

Contacts a server via port 80 (g2.slapeddw.info) and proceeds posting system info to a PHP file.  Info such as OS, Service pack, Browser, etc....

Trojan also has a keylogger component attached to it.  Waiting for keystrokes and then posting these strokes to the PHP file.

Acts a Proxy Server

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

Use the latest Engine/Dats

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

Update: 07/10/2008

A new variant of Generic PWS.o, it captures keystrokes .

Drop the following files :

• %WinDir%\system32\beep.sys
• %WinDir%\system32\ds.dat
• %WinDir%\system32\gwin32.dll
• %WinDir%\system32\swin32.dll
• %WinDir%\randseed.rnd

Delete the following files of the system :

•  %WinDir%\system32\clb.dll
• %WinDir%\system32\clbcatex.dll
• %WinDir%\system32\clbcatq.dll
• %WinDir%\system32\dllcache\clb.dll
• %WinDir%\system32\dllcache\clbcatex.dll
• %WinDir%\system32\dllcache\clbcatq.dll

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Add the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData
• HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\clbdriver.sys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\clbdriver.sys
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\clbdriver
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver

--------------------------------------------------------------------------

Update: 05/24/2007

A new variant of Generic PWS.o is being downloaded via malicious URLs. This variant when executed injects a DLL in explorer.exe memory space to download various online game password stealers.

The DLL is dropped in %programfiles%\Internet Explorer folder with the following names:

• BinNice.dll
• HiJack.dll
• RomDrivers.dll

The trojan copies itself in %programfiles%\Internet Explorer folder with following names

• BinNice.bak
• HiJack.bak
• RomDrivers.bak

The trojan attempts to download other online game password stealer trojans from the following malicous URLs. These URLs host exploits like MS06-014 and MS07-017 .

• hxxp://16a.us
• hxxp://7y7.us
• hxxp://ws91.com

Registry changes

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\: "%programfiles%\Internet Explorer\<DLLNAME>"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{09B68AD9-FF66-3E63-636B-B693E62F6236}:

Update: 04/20/2007
A variant of Generic PWS.o is being downloaded by Generic Downloader.ab. This variant is being injected into Explorer.exe process and tries to communicate with 81.29.241.20 to send captured information to the author.
It will be looking for POP, FTP, IMAP and ICQ passwords.
--------------------------------------------------------------------------

This is a password stealing trojan that captures keystrokes and sends notification and captured information to the author via HTTP. Online email and bank account information (username/password) is particularly vulnerable to this threat.

There are several variants of the trojan. The description is for a specific sample.

When run, the trojan copies itself to %Sysdir% directory. The following file names are used:

• MSSVC.EXE 

Itt creates a registry run key to load itself at Windows start up.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "winnsvc" = "msvc.exe"
  

Symptoms

Symptoms -

Update: 04/20/2007Since another variant of Generic PWS.o is being injected into Explorer.exe, you may notice this process trying to communicate with 81.29.241.20 trying to post information captured.
------------------------------------------------------------------------------------

Existence of files and registry keys mentioned above.

Contacts a server via port 80 (g2.slapeddw.info) and proceeds posting system info to a PHP file.  Info such as OS, Service pack, Browser, etc....

Trojan also has a keylogger component attached to it.  Waiting for keystrokes and then posting these strokes to the PHP file.

Acts a Proxy Server

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

Use the latest Engine/Dats

Variants

Variants -

N/A