Virus:TR/PSW.WOW.PQ.1
Date discovered:19/02/2007
Type:Trojan
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:19.717 Bytes
MD5 checksum:2e216d6f39d7a805b6fa02e51c967c4b
VDF version:6.37.01.112
IVDF version:6.37.01.113 - Monday, February 19, 2007

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Steals information

 Files It copies itself to the following location:
   • %TEMPDIR%\svchots.exe



The following files are created:

%TEMPDIR%\She1132.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.WOW.PQ

%TEMPDIR%\~Tm94.tmp.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Smal.dp.1.D

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Winlogin"="%TEMPDIR%\svchots.exe"

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

– The password from the following program:
   • wow.exe

 Injection –  It injects the following file into a process: %temp%\She1132.dll


– It injects a process watching routine into a process.

    Process name:
   • %all running processes%



–  It injects the following file into a process: %temp%\~Tm94.tmp.dll


– It injects a process watching routine into a process.

    Process name:
   • %all running processes%


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • WinUpack

Description inserted by Gabriel Mustata on Tuesday, February 20, 2007
Description updated by Andrei Ivanes on Thursday, March 1, 2007

Back . . . .