Home / malwarePDF  

PWS:Win32/Savnut


First posted on 12 July 2011.
Source: SecurityHome

Aliases :

There are no other names known for PWS:Win32/Savnut.

Explanation :

PWS:Win32/Savnut is a family of password stealing trojans that steal sensitive information from affected computers and send it to a remote attacker.
Top

PWS:Win32/Savnut is a family of password stealing trojans that steal sensitive information from affected computers and send it to a remote attacker.



Installation

PWS:Win32/Savnut makes the following changes to the registry to ensure its execution at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "userinit"
With data: "<install location>\appconf32.exe"



Payload

Allows backdoor access and control

PWS:Win32/Savnut allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using PWS:Win32/Savnut. This could include, but is not limited to, the following actions:

  • Download and execute arbitrary files, including but not limited to other malware
  • Upload files
  • Log keystrokes or steal sensitive data
  • Modify system settings
  • Run or terminate applications, including but not limited to antivirus programs
  • Delete files
  • Block URLs
  • Visit URLs


Modifies system settings

PWS:Win32/Savnut makes the following changes to the registry in order to prevents the user from being warned if Internet Explorer Enhanced Security Configuration is not enabled:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "1"

Terminates processes

The trojan checks if any of the following processes are running, and if so, terminates them:

  • mcvsshld.exe
  • usrreq.exe
  • avgtray.exe
  • bdagent.exe
  • npfuser.exe
  • niguser.exe
  • AVKTray.exe
  • ONLINENT.EXE


PWS:Win32/Savnut hooks the following APIs in order to facilitate persistent infection and data interception:

  • RegOpenKeyExW
  • HttpSendRequestA/W
  • CreateProcessW
  • CreateFileW
  • InternetCrackUrlA
  • InternetOpenA/W
  • getaddrinfo


Surveys Internet history

PWS:Win32/Savnut checks Firefox and Internet Explorer cookies for the following, and if found, may download additional banking password-stealer components:

  • .key
  • .ml
  • 53
  • @ecu
  • @ml
  • @us
  • action.mathtag
  • advanta
  • aib
  • al-bank
  • alliantcreditunion
  • americafirst
  • andelskassen
  • associatedbank
  • banken
  • bankofamerica
  • bankofoklahoma
  • bbandt
  • bbt
  • bbvabancomerusa
  • bmo
  • bnpparibas
  • bridgetrack
  • capitalone
  • charterone
  • chase
  • cibc
  • citi.
  • citibank
  • citizensbank
  • cnb
  • colonialbank
  • comerica
  • commercebank
  • db
  • dcu
  • deltacommunitycu
  • diba
  • digitalinsight
  • discovercard
  • e-finance
  • ebh-bank
  • eloqua
  • etrade
  • fetchback
  • fih
  • firstbankpr
  • firstcitizens
  • firsthorizon
  • forbank
  • fsb.netminers
  • golden1
  • harrisbank
  • HB
  • homebanking
  • hsbc
  • huntington
  • infotechalliance
  • juniper
  • key
  • lillespar
  • lpk
  • maxbank
  • mibank
  • morsbank
  • mufg
  • mynycb
  • mystreetscape
  • nationalcity
  • nationalcitycardservicesonline
  • nationalirishbank
  • navyfcu
  • ncsecu
  • neteller
  • northerntrust
  • patelco
  • pensam
  • peoples
  • pnc
  • popular
  • rbcbankusa
  • rbcroyalbank
  • rbs
  • regions
  • riba
  • ringkjoebing-bank
  • roiservice
  • ru4
  • sallingbank
  • sbbank
  • schwab
  • scotiabank
  • sdccu
  • servlet
  • skybranch
  • sparthy
  • suntrust
  • synovus
  • tcfbank
  • tcfexpress
  • tcliveus
  • tdbank
  • turn
  • umb
  • undertone
  • usbank
  • vinderupbank
  • vorbank
  • wachovia
  • wamu
  • websteronline
  • webtrendslive
  • wellsfargo
  • xiti
  • zionsbank


Downloads other malware

PWS:Win32/Savnut also downloads additional components (such as TrojanSpy:Win32/Savnut.A and TrojanSpy:Win32/Savnut.A!dll) if any of the following strings are found in cookies:

  • scorecardresearch
  • @abmr
  • burstnet
  • dice
  • quantserve
  • careercast
  • washingtonpost
  • beyond
  • jobing
  • sharethis
  • interclick
  • monster[
  • coremetrics
  • ic-live
  • careerbuilder
  • microsoft
Additional information

In the wild, we have observed PWS:Win32/Savnut storing configuration and/or cross process syncronisation information in the following:

  • Software\Microsoft\Windows\CurrentVersion\Internet Setting


Note: Adding a value with the name "delete" to this key will cause the malware to uninstall itself.



Analysis by Matt McCormack

Last update 12 July 2011

 

TOP

Malware :