Content

Generic PWS.y!cbm

Type
Trojan
SubType
Password Stealer
Discovery Date
03/02/2010
Length
Varies
Minimum DAT
5908 (03/02/2010)
Updated DAT
6561 (12/15/2011)
Minimum Engine
5.3.00
Description Added
03/02/2010
Description Modified
03/10/2010 2:59 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The main function of this Trojan is to steal compromised user’s information and send that to the remote attacker through a log file.

This Trojan injects itself into a running process and steals the following information from victim’s machine.

  • System Date and time
  • Name of the application used by the compromised user
  • Also, it steals the key strokes when the user strokes the below mentioned keys:
    • DEL
    • TAB

Below is a log file which stores all the captured information and sends it to a remote attacker.

The Trojan drops the log file in the following location:

  • %WinDir%\system32\mrxykey.log

(where %WinDir% is the Windows directory e.g. C:\Windows)

Symptoms

  •  Presence of above mentioned activities.
  •  Presence of above mentioned file.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Properties

  • MD5    - 9926255EAB0D3090A3937DE9975A3A2D
  • SHA1  - F2F1DF5D4BFB0DC242749B534C4D31D9E36A165F

Aliases

  • A-squared - Trojan.Win32.Urbin.A!IK
  • Avast        - Win32:Spyware-gen
  • GData       - Win32:Spyware-gen
  • Ikarus       - Trojan.Win32.Urbin.A

Characteristics

Characteristics -

The main function of this Trojan is to steal compromised user’s information and send that to the remote attacker through a log file.

This Trojan injects itself into a running process and steals the following information from victim’s machine.

  • System Date and time
  • Name of the application used by the compromised user
  • Also, it steals the key strokes when the user strokes the below mentioned keys:
    • DEL
    • TAB

Below is a log file which stores all the captured information and sends it to a remote attacker.

The Trojan drops the log file in the following location:

  • %WinDir%\system32\mrxykey.log

(where %WinDir% is the Windows directory e.g. C:\Windows)

Symptoms

Symptoms -

  •  Presence of above mentioned activities.
  •  Presence of above mentioned file.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A