Full description

Virus:	TR/PSW.WOW.AT.3
Date discovered:	16/08/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	46.564 Bytes
MD5 checksum:	156b6eb8383244bd63285e229ee7dbac
VDF version:	6.35.01.99
IVDF version:	6.35.01.100 - Wednesday, August 16, 2006

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Trojan-PSW.Win32.WOW.fl
   • TrendMicro: TSPY_WOW.KG
   • Bitdefender: Trojan.PWS.WOW.AD

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Drops a file
   • Drops a malicious file
   • Registry modification
   • Steals information

Files It copies itself to the following locations:
   • %WINDIR%\Debug\DebugProgram.exe
   • %SYSDIR%\regedit.com
   • %SYSDIR%\dxdiag.com
   • %SYSDIR%\MSCONFIG.COM
   • %drive%:\pagefile.pif
   • %drive%:\autorun.inf
   • %WINDIR%\ExERoute.exe
   • %WINDIR%\1.com
   • %WINDIR%\explorer.com
   • %PROGRAM FILES%\Common Files\iexplore.pif
   • %PROGRAM FILES%\Common Files\iexplore.com
   • %WINDIR%\finder.com
   • %SYSDIR%\command.pif
   • %SYSDIR%\finder.com
   • %SYSDIR%\rundll32.com
   • %WINDIR%\WINLOGON.EXE

The following file is created:

Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Torjan Program"="%WINDIR%\WINLOGON.EXE"

The following registry keys are added:

– HKCU\Software\VB and VBA Program Settings\Microsoft Soft Debuger\
   Settings
   • "GUID"="{%CLSID%}"

– HKCR\.exe
   • "(Default)"="winfiles"

– HKCR\winfiles\Shell\Open\Command
   • "(Default)"="%WINDIR%\ExERoute.exe "%1" %*"

– HKCR\winfiles\DefaultIcon
   • "(Default)"="%1"

– HKCR\winfiles
– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   • "Shell"="Explorer.exe 1"

– HKCR\Drive\shell\find\command
   • "(Default)"="%SystemRoot%\explorer.com"

– HKCR\http\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\common files\iexplore.pif" -nohome"

– HKCR\htmlfile\shell\opennew\command
   • "(Default)"=""%PROGRAM FILES%\common files\iexplore.pif" %1"

– HKCR\ftp\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\
   OpenHomePage\Command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com""

– HKCR\Applications\iexplore.exe\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– HKCU\Software\Microsoft\Internet Explorer\Main
   • "Check_Associations"="No"

– HKCR\htmlfile\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" -nohome"

– HKCR\Unknown\shell\openas\command
   • "(Default)"="%SystemRoot%\system32\finder.com %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"

– HKCR\telnet\shell\open\command
   • "(Default)"="finder.com url.dll,TelnetProtocolHandler %l"

– HKCR\scriptletfile\Shell\Generate Typelib\command
   • "(Default)"=""%SYSDIR%\finder.com" %SYSDIR%\scrobj.dll,GenerateTypeLib "%1""

– HKCR\scrfile\shell\install\command
   • "(Default)"="finder.com desk.cpl,InstallScreenSaver %l"

– HKCR\InternetShortcut\shell\open\command
   • "(Default)"="finder.com shdocvw.dll,OpenURL %l"

– HKCR\inffile\shell\Install\command
   • "(Default)"="%SystemRoot%\System32\rundll32.com setupapi,InstallHinfSection DefaultInstall 132 %1"

– HKCR\htmlfile\shell\Print\command
   • "(Default)"=""%PROGRAM FILES%\Microsoft Office\Office10\msohtmed.exe" /p %1"

– HKCR\dunfile\shell\open\command
   • "(Default)"="%SystemRoot%\system32\rundll32.com NETSHELL.DLL,InvokeDunFile %1"

– HKCR\cplfile\shell\cplopen\command
   • "(Default)"="rundll32.com shell32.dll,Control_RunDLL %1,%*"

– HKCR\.bfc\ShellNew
   • "command"="%SystemRoot%\system32\rundll32.com %SystemRoot%\system32\syncui.dll,Briefcase_Create %2!d! %1"

– HKCR\.lnk\ShellNew
   • "command"="rundll32.com appwiz.cpl,NewLinkHere %1"

– HKCU\Software\Microsoft\Visual Basic\5.0

Process termination List of processes that are terminated:
• RAVMON.EXE; TROJDIE; KPOP; CCENTER; ASSISTSE; KPFW; AGENTSVR; KREG;
IEFIND; IPARMOR; SVI.EXE; UPHC; RULEWIZE; FYGT; RFWSRV; RFWMA

Stealing It tries to steal the following information:

– Passwords from the following programs:
   • World of Warcraft
   • The Legend of Mir

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • us.logon.worldofwarcraft.com
   • eu.logon.worldofwarcraft.com
   • tw.logon.worldofwarcraft.com

File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Marius T. Nicolae on Wednesday, September 13, 2006
Description updated by Andrei Ivanes on Friday, October 6, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools