Content

PWS-Agent.g

Type
Malware
SubType
Exploit
Discovery Date
12/10/2006
Length
Varies
Minimum DAT
4916 (12/11/2006)
Updated DAT
4916 (12/11/2006)
Minimum Engine
5.1.00
Description Added
12/10/2006
Description Modified
12/10/2006 7:10 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection covers a password stealing trojan that was most recently installed by Exploit MSWord.b via a 0-day Microsoft Word vulnerability. This threat may be detected as Generic PWS.j in DAT version 4915.

When run, it attempts to replace the Word document exploit with a "clean" copy; and drops a copy of win.exe which is moved to the following path:

  • X:\Documents and Settings\All Users\Application Data\Microsoft\UsersCertificates\explorex.exe

The threat locates *.lnk files in one or more of the following folders and modify them to autostart itself when the Shortcut link is executed:

  • X:\Documents and Settings\%Username%\Application Data\Microsoft\Internet Explorer\Quick Launch
  • X:\Documents and Settings\%Username%\Start Menu\Programs\Startup
  • X\Documents and Settings\%Username%\Application Data\Microsoft\Internet Explorer\Quick Launch
  • X:\Documents and Settings\%Username%\Desktop
  • X:\Documents and Settings\%Username%\Start Menu\Programs\Startup

(Where X: is the Windows installation drive, and %Username% is the user name for the associated folder)

It follows to spawn and execute threads in the memory of Explorer.exe and ctfmon.exe,  both default Windows system processes. It may be sniffing and stealing passwords used or stored by the following web and mail applications:

  • MSN Explorer
  • Internet Explorer
  • Mozilla Firefox
  • Hotmail
  • SMTP / POP3 mail
  • The Bat!
  • Qualcomm Eudora
  • RimArts Becky! Internet Mail

and passwords stored in the following registry location:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

It can be communicating stolen data to a website hosted on the following domain(s)

  • kir(removed)k.org.ru

and e-mails to the following address(es):

  • lumpu(removed)@mail.ru

 

Symptoms

  • Files mentioned were created or modified
  • Unexpected communication to the mentioned domain(s) and e-mail address(es)

 

Method of Infection

This threat was most recently found to be installed by Exploit-MSWord.b via a 0-day Microsoft Word vulnerability in the wild.

 

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection covers a password stealing trojan that was most recently installed by Exploit-MSWord.b via a 0-day Microsoft Word vulnerability.

This threat may be detected as Generic PWS.j in DAT version 4915.

Characteristics

Characteristics -

This detection covers a password stealing trojan that was most recently installed by Exploit MSWord.b via a 0-day Microsoft Word vulnerability. This threat may be detected as Generic PWS.j in DAT version 4915.

When run, it attempts to replace the Word document exploit with a "clean" copy; and drops a copy of win.exe which is moved to the following path:

  • X:\Documents and Settings\All Users\Application Data\Microsoft\UsersCertificates\explorex.exe

The threat locates *.lnk files in one or more of the following folders and modify them to autostart itself when the Shortcut link is executed:

  • X:\Documents and Settings\%Username%\Application Data\Microsoft\Internet Explorer\Quick Launch
  • X:\Documents and Settings\%Username%\Start Menu\Programs\Startup
  • X\Documents and Settings\%Username%\Application Data\Microsoft\Internet Explorer\Quick Launch
  • X:\Documents and Settings\%Username%\Desktop
  • X:\Documents and Settings\%Username%\Start Menu\Programs\Startup

(Where X: is the Windows installation drive, and %Username% is the user name for the associated folder)

It follows to spawn and execute threads in the memory of Explorer.exe and ctfmon.exe,  both default Windows system processes. It may be sniffing and stealing passwords used or stored by the following web and mail applications:

  • MSN Explorer
  • Internet Explorer
  • Mozilla Firefox
  • Hotmail
  • SMTP / POP3 mail
  • The Bat!
  • Qualcomm Eudora
  • RimArts Becky! Internet Mail

and passwords stored in the following registry location:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

It can be communicating stolen data to a website hosted on the following domain(s)

  • kir(removed)k.org.ru

and e-mails to the following address(es):

  • lumpu(removed)@mail.ru

 

Symptoms

Symptoms -

  • Files mentioned were created or modified
  • Unexpected communication to the mentioned domain(s) and e-mail address(es)

 

Method of Infection

Method of Infection -

This threat was most recently found to be installed by Exploit-MSWord.b via a 0-day Microsoft Word vulnerability in the wild.

 

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A