Virus:TR/Abwiz.P.1
Date discovered:20/03/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:45.272 Bytes
MD5 checksum:e1523d6e4eab645ae719164726342d12
VDF version:6.34.00.75

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: PWSteal.Metafisher
   •  Mcafee: Spy-Agent.ak
   •  Kaspersky: Trojan-Spy.Win32.BZub.e
   •  TrendMicro: TROJ_ABWIZ.P
   •  Bitdefender: Trojan.Abwiz.P


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files  It deletes the following files:
   • C:\zzzzzzzzzzzzzzzzzzzzzzz222
   • C:\ccccccccccccccccoemrciermicomeriocmeiormcioermo
   • C:\cc5y456 455 4 54cccccccoemrciermicomeriocmeiormcioermo



The following files are created:

%SYSDIR%\info.txt This is a non malicious text file with the following content:
   • %stolen information%

%SYSDIR%\form.txt This is a non malicious text file with the following content:
   • %stolen information%

%SYSDIR%\msnscps.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Abwiz.P

 Registry The values of the following registry key are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load]
   • httpreport
   • waspopup
   • formwas



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • %PROGRAM FILES%\Internet Explorer\IEXPLORE.EXE = %PROGRAM
      FILES%\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer



The following registry keys are added:

– [HKCR\CLSID\{78364D99-A640-4ddf-B91A-67EFF8373045}\InprocServer32]
   • @ = %SYSDIR%\msnscps.dll
   • ThreadingModel = apartment

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load]
   • next_install = %hex number%
   • compid = %hex values%
   • httpreport = %hex values%
   • waspopup = %hex values%
   • formwas = %hex values%
   • info_size = %hex values%



The following registry key is changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • Enable Browser Extensions = yes

 Backdoor Contact server:
The following:
   • http://european-business-organization.com/**********

This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Computer name
    • Created logfiles
    • IP address
    • Current malware status
    • Collected information described in stealing section
    • Information about the Windows operating system

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– A logging routine is started after a website is visited:
   • %any website that contains a login form%

– It captures:
    • Window information
    • Login information

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Andrei Gherman on Tuesday, March 28, 2006
Description updated by Andrei Gherman on Tuesday, March 28, 2006

Back . . . .