Home / malware Trojan:Win32/Fakegina.R
First posted on 15 October 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Fakegina.R is also known as Win32/NSAnti (AVG), Trojan.Generic.4895379 (BitDefender), Packer.Win32.VmpPacker.a (Rising AV), VirTool.Win32.Obfuscator.XZ (Sunbelt Software).
Explanation :
Trojan:Win32/Fakegina.R is a trojan that is installed as a Microsoft Graphical Identification and Authentication (GINA) Dynamic Link Library, and is used to log sensitive authentication information.
Top
Trojan:Win32/Fakegina.R is a trojan that is installed as a Microsoft Graphical Identification and Authentication (GINA) Dynamic Link Library, and is used to log sensitive authentication information. The malware DLL is loaded into the Winlogon.exe process; the library provides exports which in turn call the original MSGINA.DLL functions. When WlxLoggedOutSAS - an export of the malware DLL - is called, the malware writes the following information: Time Stamp Username Domain Password to the following location: <system folder>\drivers\ipv6.sys Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The information in the log file is presumably retrieved by another component.
Analysis by Ray RobertsLast update 15 October 2010