Content

PWS-FerTP

Type
Trojan
SubType
Password Stealer
Discovery Date
04/15/2008
Length
various
Minimum DAT
5284 (04/29/2008)
Updated DAT
5284 (04/29/2008)
Minimum Engine
5.1.00
Description Added
04/28/2008
Description Modified
04/29/2008 2:28 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When executed, PWS-FerFTP retrieves FTP account details saved by the following applications, if installed:

  • FAR Manager
  • GlobalScape CuteFTP
  • Ghisler Total Commander

It also switches the first network adapter found to promiscuous mode and save every FTP account transiting through the network.

PWS-FerFTP connects to each FTP account and looks for files whose name is in the following list:

  • index.htm
  • main.htm
  • default.htm
  • index.php
  • main.php
  • default.php

When such a file is found, PWS-FerTP inserts an IFRAME HTML tag redirecting users to money2008.org.

It also creates the following mutex to ensure on one instance of the trojan is active on the infected system:

  • i_iut7gtjuhj221v2

PWS-FerTP adds the following two values in the Windows registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    "<PROGRAM_PATH>" = "<PROGRAM_PATH>:*:Enabled:ipsec"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    “GlobalUserOffline” = “0x0”

Symptoms

Unexpected FTP and HTTP access.
Presence of the registry keys described above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

PWS-FerTP is a Trojan that attempts to steal FTP account details on infected machines and posts them to a remote server. It also injects malicious HTML code in HTML and PHP scripts found on FTP repositories.

Characteristics

Characteristics -

When executed, PWS-FerFTP retrieves FTP account details saved by the following applications, if installed:

  • FAR Manager
  • GlobalScape CuteFTP
  • Ghisler Total Commander

It also switches the first network adapter found to promiscuous mode and save every FTP account transiting through the network.

PWS-FerFTP connects to each FTP account and looks for files whose name is in the following list:

  • index.htm
  • main.htm
  • default.htm
  • index.php
  • main.php
  • default.php

When such a file is found, PWS-FerTP inserts an IFRAME HTML tag redirecting users to money2008.org.

It also creates the following mutex to ensure on one instance of the trojan is active on the infected system:

  • i_iut7gtjuhj221v2

PWS-FerTP adds the following two values in the Windows registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    "<PROGRAM_PATH>" = "<PROGRAM_PATH>:*:Enabled:ipsec"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    “GlobalUserOffline” = “0x0”

Symptoms

Symptoms -

Unexpected FTP and HTTP access.
Presence of the registry keys described above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A