McAfee > Theat Center > Virus Detail Page

Overview

PWS-Maran.dr drops and registers an executable as a service and installs a dropped dll as a Layered Service Provider (LSP) to WinSock to sniff and steal personal information.

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Troj/Maran-Gen (Sophos)

• Trojan-PSW.Win32.Maran.ba (Kaspersky)

• TSPY_MARAN.D (Trend Micro)

Characteristics

PWS-Maran.dr drops and registers an executable as a service and installs a dropped dll as a Layered Service Provider (LSP) to WinSock to sniff and steal personal information.

On execution it drops the following files:

• %WinDir%\smss.exe (detected as PWS-Maran)
• %WinDir%\system32\ou9sound.dll (detected as PWS-Maran.dll) or
• %WinDir%\system32\ouviewer.dll (detected as PWS-Maran.dll)

It then registers the dropped smss.exe as a service which automatically gets activated on reboot by creating the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETDown

• Type: 0x00000010
• Start: 0x00000002
• ErrorControl: 0x00000000
• ImagePath: "%WinDir%\smss.exe"
• DisplayName: "Card Adapter"
• ObjectName: "LocalSystem"

The dropped dll is installed as a Layered Service Provider (LSP) to WinSock, so that this dll can intercept / sniff internet traffic and potentially steal personal information entered using the compromised computer. In particular it looks for usernames and passwords for online games. The following registry entry is used to install the dll as LSP:

• hkey_local_machine\system\currentcontrolset\services\winsock\parameters\protocol_catalog9

Symptoms

• Presence of files and registries as mentioned
• Unexpected network traffic
  

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

PWS-Maran.dr drops and registers an executable as a service and installs a dropped dll as a Layered Service Provider (LSP) to WinSock to sniff and steal personal information.

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Troj/Maran-Gen (Sophos)

• Trojan-PSW.Win32.Maran.ba (Kaspersky)

• TSPY_MARAN.D (Trend Micro)

Characteristics

Characteristics -

PWS-Maran.dr drops and registers an executable as a service and installs a dropped dll as a Layered Service Provider (LSP) to WinSock to sniff and steal personal information.

On execution it drops the following files:

• %WinDir%\smss.exe (detected as PWS-Maran)
• %WinDir%\system32\ou9sound.dll (detected as PWS-Maran.dll) or
• %WinDir%\system32\ouviewer.dll (detected as PWS-Maran.dll)

It then registers the dropped smss.exe as a service which automatically gets activated on reboot by creating the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETDown

• Type: 0x00000010
• Start: 0x00000002
• ErrorControl: 0x00000000
• ImagePath: "%WinDir%\smss.exe"
• DisplayName: "Card Adapter"
• ObjectName: "LocalSystem"

The dropped dll is installed as a Layered Service Provider (LSP) to WinSock, so that this dll can intercept / sniff internet traffic and potentially steal personal information entered using the compromised computer. In particular it looks for usernames and passwords for online games. The following registry entry is used to install the dll as LSP:

• hkey_local_machine\system\currentcontrolset\services\winsock\parameters\protocol_catalog9

Symptoms

Symptoms -

• Presence of files and registries as mentioned
• Unexpected network traffic
  

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A