Home / malware Trojan.PWS.KATES.AG
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.PWS.KATES.AG.
Explanation :
The file will be moved to Templatesmemory.tmp, where is
the personal directory of the user that runs the malware (e.g. "C:Documents and SettingsAdministrator").
The original file is deleted.
A DLL file is also dumped: Local SettingsApplication DataWindows Serverpwfsdy.dll (3KB)
The "Windows Server" subdirectory doesn't usually exist there and is created by the malware.
The file access, creation and write times are replaced with that of the file user32.dll.
The DLL will be executed automatically each time a program is run for the first time because of a registry
key written at SYSTEMCurrentControlSetControlSession ManagerAppCertDllsAppSecDll.
A registry key called HKEY_CURRENT_USERSOFTWARElbtppwfsdylbtppwfsdy will be created with some binary data.
The data in the key is loaded by the DLL and executed. This is the code that executes the malicious instructions.
The malware waits for it to be loaded with one of the recognized browsers (firefox, opera, internet explorer).
When it finds itself running in one of the browsers it hooks functions used for transferring data over an
internet connection. Those hooks will filter the pages the user browses and select the ones that are result pages
from internet search engines (google, yahoo, bing).
When a result page is found the malware will randomly choose to replace the link of the results with an url to
a different site than the one the search engine provided. These sites include fake online antivirus scanners
and sites with pornographic content. The malware also parses the page the user is viewing and it spies on passwords
and other personal information. This personal data is sent to one of the malware's developers' servers.Last update 21 November 2011
