Home / malware PWS:Win32/Magania
First posted on 04 May 2010.
Source: SecurityHomeAliases :
There are no other names known for PWS:Win32/Magania.
Explanation :
PWS:Win32/Magania is a password stealing trojan that injects code into the "explorer.exe" process. The injected code varies according to the sample.
Top
PWS:Win32/Magania is a password stealing trojan that injects code into the "explorer.exe" process. The injected code varies according to the sample. InstallationWin32/Magania usually arrives in the computer with a random file name. It is executed from its original location, usually in the Windows system folder. It modifies the system registry so that it automatically runs every time Windows starts. In the wild, the following change has been observed: Adds value: "SystemMgr"
With data: "<malware file name>"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or Adds value: "Userinit"
With data: "<system folder>\userinit.exe,<malware file name>",
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Payload Injects code into processesWin32/Magania injects code into the "explorer.exe" process. Depending on the variant, this code may be used to steal password information or download and execute additional files.
Analysis by Matt McCormackLast update 04 May 2010