Virus:TR/PSW.WOW.JG
Date discovered:10/01/2007
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:56.320 Bytes
MD5 checksum:4f5d37087939b9d4e1199d87737c3e07
VDF version:6.36.00.060
IVDF version:6.36.00.073

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: PWS-Hook.dll
   •  Kaspersky: Trojan-PSW.Win32.WOW.jg
   •  Sophos: Troj/Hook-Gen
   •  Grisoft: PSW.Generic2.LEU
   •  Bitdefender: Generic.PWStealer.0F6BD06A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Steals information

 Backdoor Contact server:
All of the following:
   • http://www.cn1.grunt.wowchina.**********
   • http://www.cn2.grunt.wowchina.**********
   • http://www.cn3.grunt.wowchina.**********
   • http://www.cn4.grunt.wowchina.**********
   • http://www.cn5.grunt.wowchina.**********
   • http//:www.cn6.grunt.wowchina.**********

As a result it may send some information. This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Collected information described in stealing section

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

– The following CD key:
   • World of Warcraft

– A logging routine is started after a website is visited:
   • http://www.us.logon.worldofwarcraft.com

– It captures:
    • Login information

 Miscellaneous Mutex:
It creates the following Mutex:
   • HGFSMUTEX

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Wednesday, January 10, 2007
Description updated by Monica Ghitun on Wednesday, January 10, 2007

Back . . . .