Virus:TR/PSW.WOW.FL
Date discovered:16/08/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:46.593 Bytes
MD5 checksum:ef6d2a817015475d18dd6ae45f95c332
VDF version:6.35.01.99
IVDF version:6.35.01.100 - Wednesday, August 16, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-PSW.Win32.WOW.fl
   •  TrendMicro: TSPY_WOW.KG
   •  Bitdefender: Trojan.PWS.WOW.AD


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops a file
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %WINDIR%\Debug\DebugProgram.exe
   • %WINDIR%\System32\regedit.com
   • %SYSDIR%\dxdiag.com
   • %SYSDIR%\MSCONFIG.COM
   • d:\pagefile.pif
   • %WINDIR%\ExERoute.exe
   • %WINDIR%\1.com
   • %WINDIR%\explorer.com
   • %PROGRAM FILES%\Common Files\iexplore.pif
   • %PROGRAM FILES%\Common Files\iexplore.com
   • %WINDIR%\finder.com
   • %SYSDIR%\command.pif
   • %SYSDIR%\finder.com
   • %SYSDIR%\rundll32.com
   • %WINDIR%\WINLOGON.EXE



The following file is created:

– D:\autorun.inf Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.WOW.CJ

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Torjan Program"="%WINDIR%\WINLOGON.EXE"



The following registry keys are added:

– HKCU\Software\VB and VBA Program Settings\Microsoft Soft Debuger\
   Settings
   • "GUID"="{%CLSID%}"

– HKCR\.exe
   • "(Default)"="winfiles"

– HKCR\winfiles\Shell\Open\Command
   • "(Default)"="%WINDIR%\ExERoute.exe "%1" %*"

– HKCR\winfiles\DefaultIcon
   • "(Default)"="%1"

– HKCR\winfiles
– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   • "Shell"="Explorer.exe 1"

– HKCR\Drive\shell\find\command
   • "(Default)"="%SystemRoot%\explorer.com"

– HKCR\http\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\common files\iexplore.pif" -nohome"

– HKCR\htmlfile\shell\opennew\command
   • "(Default)"=""%PROGRAM FILES%\common files\iexplore.pif" %1"

– HKCR\ftp\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\
   OpenHomePage\Command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com""

– HKCR\Applications\iexplore.exe\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– HKCU\Software\Microsoft\Internet Explorer\Main
   • "Check_Associations"="No"

– HKCR\htmlfile\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" -nohome"

– HKCR\Unknown\shell\openas\command
   • "(Default)"="%SystemRoot%\system32\finder.com %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"

– HKCR\telnet\shell\open\command
   • "(Default)"="finder.com url.dll,TelnetProtocolHandler %l"

– HKCR\scriptletfile\Shell\Generate Typelib\command
   • "(Default)"=""%SYSDIR%\finder.com" %SYSDIR%\scrobj.dll,GenerateTypeLib "%1""

– HKCR\scrfile\shell\install\command
   • "(Default)"="finder.com desk.cpl,InstallScreenSaver %l"

– HKCR\InternetShortcut\shell\open\command
   • "(Default)"="finder.com shdocvw.dll,OpenURL %l"

– HKCR\inffile\shell\Install\command
   • "(Default)"="%SystemRoot%\System32\rundll32.com setupapi,InstallHinfSection DefaultInstall 132 %1"

– HKCR\htmlfile\shell\Print\command
   • "(Default)"=""%PROGRAM FILES%\Microsoft Office\Office10\msohtmed.exe" /p %1"

– HKCR\dunfile\shell\open\command
   • "(Default)"="%SystemRoot%\system32\rundll32.com NETSHELL.DLL,InvokeDunFile %1"

– HKCR\cplfile\shell\cplopen\command
   • "(Default)"="rundll32.com shell32.dll,Control_RunDLL %1,%*"

– HKCR\.bfc\ShellNew
   • "command"="%SystemRoot%\system32\rundll32.com %SystemRoot%\system32\syncui.dll,Briefcase_Create %2!d! %1"

– HKCR\.lnk\ShellNew
   • "command"="rundll32.com appwiz.cpl,NewLinkHere %1"

– HKCU\Software\Microsoft\Visual Basic\5.0

 Process termination List of processes that are terminated:
   • RAVMON.EXE; TROJDIE; KPOP; CCENTER; ASSISTSE; KPFW; AGENTSVR; KREG;
      IEFIND; IPARMOR; SVI.EXE; UPHC; RULEWIZE; FYGT; RFWSRV; RFWMA


 Stealing It tries to steal the following information:

– Passwords from the following programs:
   • World of Warcraft
   • The Legend of Mir

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • us.logon.worldofwarcraft.com
   • eu.logon.worldofwarcraft.com
   • tw.logon.worldofwarcraft.com

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Marius T. Nicolae on Tuesday, September 12, 2006
Description updated by Andrei Ivanes on Thursday, October 5, 2006

Back . . . .