Home / malware Trojan:Win32/Fakegina.S
First posted on 23 October 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Fakegina.S is also known as TrojanSpy.Agent.YJBT (VirusBuster), Trojan horse PSW.Agent.AHQM (AVG), TR/Spy.Agent.BOU (Avira), Mal/FakeGina-A (Sophos).
Explanation :
Trojan:Win32/Fakegina.S is a trojan that is installed as a Microsoft Graphical Identification and Authentication (GINA) Dynamic Link Library file, and is used to log sensitive authentication information.
Top
Trojan:Win32/Fakegina.S is a trojan that is installed as a Microsoft Graphical Identification and Authentication (GINA) Dynamic Link Library file, and is used to log sensitive authentication information. Trojan:Win32/Fakegina.S is loaded into the Winlogon.exe process. It provides exports, which in turn call the original MSGINA.DLL functions. When WlxLoggedOutSAS - an export of the malware DLL - is called, Trojan:Win32/Fakegina.S writes the following information:Time Stamp Username Domain Password to the following location: <system folder>\drivers\ipv6.sys Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The information in the log file is presumably retrieved by another component.
Analysis by Ray RobertsLast update 23 October 2010
