Home / malware PWS:Win32/MSNPass.C
First posted on 27 July 2010.
Source: SecurityHomeAliases :
PWS:Win32/MSNPass.C is also known as W32/SuspPack.G.gen!Eldorado (Authentium (Com, Trojan.Win32.Vilsel.agwv (Kaspersky), Packed/NTkrnl (VirusBuster), TR/Crypt.CFI.Gen (Avira), Gen:Trojan.Heur.ii0ar1OJbMiiu (BitDefender), Win32/SillyDl.PVN (CA), Trojan-Downloader.Win32.VB (Ikarus), Trojan.Win32.Packer.NTkrnl0.1 (Sunbelt Software), WORM_VB.EA (Trend Micro).
Explanation :
PWS:Win32/MSNPass.C is a trojan that downloads malware applications and possibly steals confidential information from the infected computer.
Top
PWS:Win32/MSNPass.C is a trojan that downloads malware applications and possibly steals confidential information from the infected computer. InstallationPWS:Win32/MSNPass.C is installed under C:\MessengerPlus\mplayer2.exe, and makes the following registry modifications to ensure it executes at Windows start: Adds value: "wmplayer"With data: "c:\messengerplus\mplayer2.exe"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Payload Lowers security settingsPWS:Win32/MSNPass.C lowers the security settings on the infected computer by making the following registry modifications: Adds value: "CheckExeSignatures"With data: "no"To subkey: HKCU\Software\Microsoft\Internet Explorer\Download Adds value: "SaveZoneInformation"With data: "00000001"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments Adds value: "LowRiskFileTypes" With data: ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Opens an Internet Explorer browser PWS:Win32/MSNPass.C opens an Internet Explorer window with the following address: hxxp://www.youtube.com/watch?v=gOO_UqzEc5Y Downloads and executes arbitrary filesPWS:Win32/MSNPass.C opens a hidden Internet Explorer browser and downloads the following files:hxxp://britolanches.com.br/dllmessenger.jpg hxxp://britolanches.com.br/dll.jpg Note: dll.jpg is an actual DLL file, and is saved as IEBrowserEvents.dll - this is a variant of TrojanSpy:Win32/Bancos. Additional information Monitors application and browser activity PWS:Win32/MSNPass.C remains loaded in memory. The trojan hooks into the Windows Live Messenger application and monitors the activity. It also monitors the browser activity on the affected computer. Some information is logged in the file juupdate18.log, and placed at the same location as the malware. The information in this file is encrypted/obfuscated. Notifies the user of the malware's use of a polymorphic file protector The malware is protected by NTkrnl Packer (a polymorphic file protector). Whenever the malware runs, the following splash screen is displayed: Note: This is not an indication that the file is part of any security product (namely, NTkrnl Secure Suite); the screen may be deceiving in that it suggests to users that this file is part of a security package, when in fact, it is not.
Analysis by Dan NicolescuLast update 27 July 2010