Home / malware PWS:Win32/Codtree
First posted on 31 August 2011.
Source: SecurityHomeAliases :
There are no other names known for PWS:Win32/Codtree.
Explanation :
PWS:Win32/Codtree is a trojan that steals credentials from web browsers and FTP clients.
Top
PWS:Win32/Codtree is a trojan that steals credentials from web browsers and FTP clients.
Installation
PWS:Win32/Codtree may arrive in the computer by being downloaded by TrojanDownloader:Win32/Stegvob.A.
After it has performed its malicious routine, it deletes itself.
Payload
Steals user names and passwords
PWS:Win32/Codtree decrypts cached FTP account credentials from a long list of applications, including:
- ALFTP
- BulletProof FTP Client
- CoffeeCup Free FTP
- Core FTP
- CuteFTP
- EmFTP
- FFFTP
- FileZilla
- FlashFXP
- Frigate3
- FTP Commander
- FTP Control 4
- FTP Explorer
- FTP Navigator
- FTPRush
- SecureFX
- SmartFTP
- Total Commander
- UltraFXP
- WebDrive
- WinSCP
- WS_FTP
It also targets cached user names and passwords in some web browsers such as Internet Explorer, Mozilla Firefox, and Opera.
The collected data is posted to a certain server. In the wild, the data has been observed sent to the following servers:
- 91.121.135.109
- 8nm2.com
- softs.mo.tl
Analysis by Horea Coroiu
Last update 31 August 2011
