Content

PWCrack-Passware

Type
Program
SubType
Tool
Discovery Date
01/16/2006
Minimum DAT
4675 (01/16/2006)
Updated DAT
4966 (02/19/2007)
Minimum Engine
5.1.00
Description Added
01/16/2006
Description Modified
02/14/2007 12:23 PM (PT)

Tab Navigation

Characteristics

McAfee(R) Avert(R) Labs recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a Potentially Unwanted Program (PUP). The PWCrack-Passware detection covers certain tools authored by Passware, Inc. that are intended for password recovery or recovery of encrypted or password protected data. Though these tools have legitimate uses, in some cases they also present the potential for abuse.

EFSKey - This is a tool intended for use in recovering EFS-encrypted files from NTFS partitions. Though useful in this way, it could also be used maliciously to gain unauthorized access to encrypted data. It appears that administrative credentials and access to the appropriate SAM database or prior knowledge of the original encryption password is required for successful file recovery. This limits the exposure for such misuse, though it is still possible.

The application displays a license agreement when installed.

Privacy

A privacy policy is not displayed during installation.

The software itself does not inherently present a privacy risk. However, it could be intentionally misused to gain unauthorized access to encrypted data, compromising the privacy of the target.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Files Added

  • Installer (demo version): efskeyd.exe (548 KB)
    MD5: F2DE5BCFE60F380789CB78B71071747A
  • %ProgramFiles%\passware\
  • %ProgramFiles%\passware\demos\
  • %ProgramFiles%\passware\demos\un-efskeyd.exe (34 KB)
    MD5: 772B2D4018B7F8191523863006185EE1
  • %ProgramFiles%\passware\demos\pk.chm (64 KB)
  • %ProgramFiles%\passware\demos\efskey.exe (194 KB)
    MD5: B30B83F4AC80C3C4F75A5AEF120F3A3F
  • %ProgramFiles%\passware\demos\efsdll.dll (188 KB)
    MD5: A380576572CA1A7B23EA2C05FBDADFA4
  • C:\documents and settings\(username)\start menu\programs\passware demo\efs key demo.lnk (1 KB)

    Other main executable versions known:
  • efskey.exe (174 KB)
    MD5: 072E4CCFC15570B120F70B64BBCCB310

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EFS Key Demo
    "UninstallString"="C:\Program Files\Passware\demos\un-efskeyd.exe"
    "DisplayName"="EFS Key 7.11 Demo"
    "StartMenu"="Passware Demo"
  • HKEY_CURRENT_USER\Software\Passware
  • HKEY_CURRENT_USER\Software\Passware\EFS Key\7\Registration
  • HKEY_CURRENT_USER\Software\Passware\EFS Key\ToolTip
  • HKEY_CURRENT_USER\Software\Passware\EFS Key\MainWindow

Aliases

Aliases

    N/A