Home / malware PWS:Win32/Savnut
First posted on 12 July 2011.
Source: SecurityHomeAliases :
There are no other names known for PWS:Win32/Savnut.
Explanation :
PWS:Win32/Savnut is a family of password stealing trojans that steal sensitive information from affected computers and send it to a remote attacker.
Top
PWS:Win32/Savnut is a family of password stealing trojans that steal sensitive information from affected computers and send it to a remote attacker.
Installation
PWS:Win32/Savnut makes the following changes to the registry to ensure its execution at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "userinit"
With data: "<install location>\appconf32.exe"
Payload
Allows backdoor access and control
PWS:Win32/Savnut allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using PWS:Win32/Savnut. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files, including but not limited to other malware
- Upload files
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications, including but not limited to antivirus programs
- Delete files
- Block URLs
- Visit URLs
Modifies system settings
PWS:Win32/Savnut makes the following changes to the registry in order to prevents the user from being warned if Internet Explorer Enhanced Security Configuration is not enabled:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "1"
Terminates processes
The trojan checks if any of the following processes are running, and if so, terminates them:
- mcvsshld.exe
- usrreq.exe
- avgtray.exe
- bdagent.exe
- npfuser.exe
- niguser.exe
- AVKTray.exe
- ONLINENT.EXE
PWS:Win32/Savnut hooks the following APIs in order to facilitate persistent infection and data interception:
- RegOpenKeyExW
- HttpSendRequestA/W
- CreateProcessW
- CreateFileW
- InternetCrackUrlA
- InternetOpenA/W
- getaddrinfo
Surveys Internet history
PWS:Win32/Savnut checks Firefox and Internet Explorer cookies for the following, and if found, may download additional banking password-stealer components:
- .key
- .ml
- 53
- @ecu
- @ml
- @us
- action.mathtag
- advanta
- aib
- al-bank
- alliantcreditunion
- americafirst
- andelskassen
- associatedbank
- banken
- bankofamerica
- bankofoklahoma
- bbandt
- bbt
- bbvabancomerusa
- bmo
- bnpparibas
- bridgetrack
- capitalone
- charterone
- chase
- cibc
- citi.
- citibank
- citizensbank
- cnb
- colonialbank
- comerica
- commercebank
- db
- dcu
- deltacommunitycu
- diba
- digitalinsight
- discovercard
- e-finance
- ebh-bank
- eloqua
- etrade
- fetchback
- fih
- firstbankpr
- firstcitizens
- firsthorizon
- forbank
- fsb.netminers
- golden1
- harrisbank
- HB
- homebanking
- hsbc
- huntington
- infotechalliance
- juniper
- key
- lillespar
- lpk
- maxbank
- mibank
- morsbank
- mufg
- mynycb
- mystreetscape
- nationalcity
- nationalcitycardservicesonline
- nationalirishbank
- navyfcu
- ncsecu
- neteller
- northerntrust
- patelco
- pensam
- peoples
- pnc
- popular
- rbcbankusa
- rbcroyalbank
- rbs
- regions
- riba
- ringkjoebing-bank
- roiservice
- ru4
- sallingbank
- sbbank
- schwab
- scotiabank
- sdccu
- servlet
- skybranch
- sparthy
- suntrust
- synovus
- tcfbank
- tcfexpress
- tcliveus
- tdbank
- turn
- umb
- undertone
- usbank
- vinderupbank
- vorbank
- wachovia
- wamu
- websteronline
- webtrendslive
- wellsfargo
- xiti
- zionsbank
Downloads other malware
PWS:Win32/Savnut also downloads additional components (such as TrojanSpy:Win32/Savnut.A and TrojanSpy:Win32/Savnut.A!dll) if any of the following strings are found in cookies:
Additional information
- scorecardresearch
- @abmr
- burstnet
- dice
- quantserve
- careercast
- washingtonpost
- beyond
- jobing
- sharethis
- interclick
- monster[
- coremetrics
- ic-live
- careerbuilder
- microsoft
In the wild, we have observed PWS:Win32/Savnut storing configuration and/or cross process syncronisation information in the following:
- Software\Microsoft\Windows\CurrentVersion\Internet Setting
Note: Adding a value with the name "delete" to this key will cause the malware to uninstall itself.
Analysis by Matt McCormack
Last update 12 July 2011