Home / malware PWS:Win32/Dofoil.D
First posted on 08 February 2012.
Source: MicrosoftAliases :
There are no other names known for PWS:Win32/Dofoil.D.
Explanation :
PWS:Win32/Dofoil.D is a trojan that steals user names and passwords for certain FTP applications and Microsoft Outlook.
Top
PWS:Win32/Dofoil.D is a trojan that steals user names and passwords for certain FTP applications and Microsoft Outlook.
Installation
PWS:Win32/Dofoil.D is a trojan that may arrive as an attachment to a spammed email message. It may arrive with the following file name:
Ticket.zip - containing Ticket.exe and with the Adobe Reader PDF icon
It may then copy itself in the %AppData% folder as AE506B.exe.
PWS:Win32/Dofoil.D modifies the system registry so that it automatically runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "<random value>"
With data: "%Appdata%\AE506B.exe"
It then deletes its currently-running copy.
Payload
Steals sensitive information
PWS:Win32/Dofoil.D injects code into svchost.exe, which may download other files and may steal user names and passwords stored in the following applications:
- Bullet Proof FTP
- FileZilla
- Microsoft Outlook
- SmartFTP
- Total Commander
- Windows Commander
It may then send the stolen information to a remote attacker.
Analysis by Francis Allan Tan Seng
Last update 08 February 2012
