Home / malwarePDF  

Win32.Manda.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Manda.A is also known as PWSteal.Salira, (NAV.

Explanation :

The trojan arrives as a .RAR archive with a malformed header. Some wrongly-configured archivers may execute the trojan on a simple archive view. The archive has a movie subtitle name, and it's 35347 bytes in size.
When executed, the trojan copies itself as "winrarshell32.exe" and registers itself to be executed at every system startup.
Then, it turns on several password caching facilities in Windows:
- Autocomplete: by adding "Use AutoComplete" = "yes" to the registry key
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionexplorerAutoComplete
- Password suggesting: by adding "FormSuggest Passwords" = "yes" to the registry key
HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMain and "Use FormSuggest" = "yes" to the registry key HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMain

The trojan logs every password in a file called "system31.bug", which it sends to the author, in a mail that looks like the following:

From: BUG_Mafia@as.ro
To: mandaril@as.ro
Subject:#2.02dev
X-Mailer: bugmafia v2.02dev
MIME-Version: 1.0
Content-Type: multipart/mixed;

The trojan also adds statistical system information in the email, and on NT based systems it fetches the NTLan password hashes and sends them too.
To send the mail, the trojan uses its own SMTP engine.

Last update 21 November 2011

 

TOP