Home / malware PWS:Win32/VB.CU
First posted on 15 February 2019.
Source: MicrosoftAliases :
PWS:Win32/VB.CU is also known as Win32/Swisyn.worm.446517, Trojan.Win32.Swisyn.auzw, W32/Swisyn.CL, W32.Gosys, PE_MOFKSYS.B-O.
Explanation :
PWS:Win32/VB.CU is a trojan that steals certain information from the affected computer. It also stops the SharedAccess service and overwrites certain files.
Installation
PWS:Win32/VB.CU drops a copy of itself as the following:
explorer.exe %windir%spoolsv.exe %windir%svchost.exe
Note that these processes are not legitimate Windows applications; these are commonly used by malware files to disguise themselves as legitimate. The legitimate Windows applications are found in the following:
spoolsv.exe svchost.exe %windir%explorer.exe
Note:refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP, Vista, and 7 is C:WindowsSystem32.
Upon execution, PWS:Win32/VB.CU adds the following registry key as part of its installation routine:
In subkey:
HKLMSOFTWAREMicrosoftActive SetupInstalled Components{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
or
HKLMSOFTWAREMicrosoftActive SetupInstalled Components{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}
Sets value: "StubPath"
With data: "%AppData%mrsys.exe MR"
In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
Sets value: "Explorer"
With data: "explorer.exe RO"
In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
Sets value: "Svchost"
With data: "%windir%svchost.exe RO"
It also modifies the the following registry key so that its copy automatically runs every time Windows starts:
In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Sets value: "Shell"
With data: "%windir%explorer.exe,explorer.exe"
PWS:Win32/VB.CU also creates a scheduled job to activate its dropped copy. The scheduled job file is saved as "%windir% askAt1.job".
Payload
Disables network services
PWS:Win32/VB.CU disables the SharedAccess service which is responsible for the systems network connection activity.
Steals sensitive information
This password stealer logs clicks, keystrokes and window titles. It also collects the following information:
email configuration (user name, password, email recipients, SMTP server, server port, authentication status, whether it is using SSL) instant messenger credentials downloaded files websites visited search keywords operating system Internet browser and version software installed in the system clipboard contents desktop captures network shared resources connected to the computer
Overwrites files
PWS:Win32/VB.CU overwrites executable files found in the same folder in which it was initially executed.
Additional information
PWS:Win32/VB.CU enables and starts the Schedule service to make sure the created scheduled job executes its dropped copy every day. To prevent its detection in the affected computer, it terminates its own processes.
Analysis by Zarestel FerrerLast update 15 February 2019