Home / malwarePDF  

PWS:Win32/Fotip.A


First posted on 28 June 2013.
Source: Microsoft

Aliases :

PWS:Win32/Fotip.A is also known as not-a-virus:PSWTool.Win32.PasswordRecovery.af (Kaspersky, Riskware/PasswordRecovery (other), Trojan.FakeAV (Symantec).

Explanation :



Installation

When run, the trojan creates the folder %PUBLIC%\Public Document and drops the following files there:

  • aatd.bat - a file that launches msnd.exe
  • bms.klm - a file used by the trojan to determine where to send the passwords
  • cond.reg - a registry file which sets the trojan to run every time you start your computer
  • dd.vbs - a file that launches iewed.bat
  • ied.bat - a file that launches dd.vbs
  • iewed.bat - a file detected as PWS:BAT/Fotip.A that runs the programs that steal your passwords, and sends these passwords to a remote attacker
  • image.exe - a program designed to retrieve passwords from various email programs
  • keeprun.ini - a file used by msnd.exe to determine which files and programs to check
  • msnd.exe - a program designed to check for and ensure that certain other files and programs are running
  • picture viewer.exe - a program designed to retrieve passwords from certain Internet browsers
  • pid.pdf - a PDF file that is not malicious in itself
  • sad.vbs - a file that begins the installation process of the trojan


The trojan then runs the file sad.vbs.



Payload

Steals your Internet and email passwords

When the sad.vbs file is run, it launches the dd.vbs file, which launches iewed.bat. It also launches ictd.bat.

The iewed.bat file is detected as PWS:BAT/Fotip.A and performs the majority of the trojan's functions.

First, it runs the file cond.reg, which modifies the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: stat2
With data: "aatd.bat"

This causes the file aatd.bat to run whenever you start your computer.

The aatd.bat file runs msnd.exe, which is a program called "Keep Running". This program will check your computer to ensure that certain processes or programs are running, which are defined in the keeprun.ini file. In this case, the keeprun.ini file tells the "Keep Running" program to check every hour if the ied.bat file is running; if the file is not running, then the program will run it.

The ied.bat file launches the dd.vbs file, which begins the installation process again.

After running cond.reg, the batch file iewed.bat also runs image.exe, which is a program called "All-in-one Mail Password Recovery Software" that retrieves your passwords from various email and instant messaging programs:

  • Foxmail versions 6 and 7
  • GMail Notifier
  • GTalk
  • IncrediMail
  • Microsoft Outlook 2002 through to 2013
  • Microsoft Outlook Express
  • Miranda Messenger
  • Mozilla Thunderbird
  • MSN Messenger
  • PaltalkScene IM
  • Pidgin (Formerly Gaim) Messenger
  • Windows Credential Manager
  • Windows Live Mail 2012
  • Windows Live Messenger


The batch file also runs picture viewer.exe, which is a program called "Browser Password Recovery" that retrieves passwords from the following Internet browsers:

  • Apple Safari
  • Comodo Dragon Browser
  • CoolNovo Browser
  • Firefox
  • Flock Browser
  • Google Chrome
  • Google Chrome Canary/SXS
  • Internet Explorer
  • Opera Browser
  • SeaMonkey Browser


The batch file also creates the following folders and sets their attributes to HIDDEN, so that they cannot be seen in Windows File Explorer:

  • %ALLUSERPROFILE%\Msn
  • %ALLUSERPROFILE%\MSN\Msn2
  • %PUBLIC%\Public Document


The batch file disables the Windows Firewall, and sends the passwords stolen by the programs above to a remote FTP site. The trojan determines the address from the file bms.klm; in the wild, we have observed the trojan attempting to send the data to gabby2.0catch.com.

The trojan also drops the following files:

  • icd.bat
  • ictd.bat
  • pid.pdf


When ictd.bat is run by sad.vbs, it launches icd.bat, which is another copy of the batch file iewed.bat. This copy of the file performs the same functions as iewed.bat and is also detected as PWS:BAT/Fotip.A, however it also runs the pid.pdf file. The PDF file is not malicious, and it is likely that the trojan opens this file to hide its other malicious activities.



Analysis by Daniel Radu

Last update 28 June 2013

 

TOP

Malware :

Family: