McAfee > Theat Center > Virus Detail Page

Overview

PWS-FerTP is a Trojan that attempts to steal FTP account details on infected machines and posts them to a remote server. It also injects malicious HTML code in HTML and PHP scripts found on FTP repositories.

Characteristics

When executed, PWS-FerFTP retrieves FTP account details saved by the following applications, if installed:

• FAR Manager
• GlobalScape CuteFTP
• Ghisler Total Commander

It also switches the first network adapter found to promiscuous mode and save every FTP account transiting through the network.

PWS-FerFTP connects to each FTP account and looks for files whose name is in the following list:

• index.htm
• main.htm
• default.htm
• index.php
• main.php
• default.php
  

When such a file is found, PWS-FerTP inserts an IFRAME HTML tag redirecting users to money2008.org.

It also creates the following mutex to ensure on one instance of the trojan is active on the infected system:

• i_iut7gtjuhj221v2

PWS-FerTP adds the following two values in the Windows registry:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  "<PROGRAM_PATH>" = "<PROGRAM_PATH>:*:Enabled:ipsec"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  “GlobalUserOffline” = “0x0”
  

Symptoms

Unexpected FTP and HTTP access.
Presence of the registry keys described above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

PWS-FerTP is a Trojan that attempts to steal FTP account details on infected machines and posts them to a remote server. It also injects malicious HTML code in HTML and PHP scripts found on FTP repositories.

Characteristics

Characteristics -

When executed, PWS-FerFTP retrieves FTP account details saved by the following applications, if installed:

• FAR Manager
• GlobalScape CuteFTP
• Ghisler Total Commander

It also switches the first network adapter found to promiscuous mode and save every FTP account transiting through the network.

PWS-FerFTP connects to each FTP account and looks for files whose name is in the following list:

• index.htm
• main.htm
• default.htm
• index.php
• main.php
• default.php
  

When such a file is found, PWS-FerTP inserts an IFRAME HTML tag redirecting users to money2008.org.

It also creates the following mutex to ensure on one instance of the trojan is active on the infected system:

• i_iut7gtjuhj221v2

PWS-FerTP adds the following two values in the Windows registry:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  "<PROGRAM_PATH>" = "<PROGRAM_PATH>:*:Enabled:ipsec"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  “GlobalUserOffline” = “0x0”
  

Symptoms

Symptoms -

Unexpected FTP and HTTP access.
Presence of the registry keys described above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A