Home / malware PWS:Win32/Enterak.B
First posted on 08 September 2019.
Source: MicrosoftAliases :
There are no other names known for PWS:Win32/Enterak.B.
Explanation :
Installation
This threat can be installed by other malware, such as TrojanDropper:WinNT/Enterok.A.
It makes the following changes to the registry as part of its installation process:
In subkey: HKLMSOFTWAREClassesCLSID{}InProcServer32
Sets value: (default)
With data: ""
In subkey: HKLMSOFTWAREClassesCLSID{}
Sets value: (default)
With data: "0"
It is installed as a Browser Helper Object (BHO) by making the following changes to the registry:
In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{}
Sets value: (default)
With data: (value not set)
Payload
Steals online game and banking credentials
This threat can monitor, and attempt to steal, the credentials you type into the following websites:
Online game websites: aion.plaync.jp aran.kr.gameclub.com auth.siren24.com baram.nexon.com bns.plaync.com booknlife.com capogames.net cultureland.co.kr clubaudition.ndolfin.com df.nexon.com dk.halgame.com dragonnest.nexon.com elsword.nexon.com fifaonline.pmang.com fifaonline3.nexon.com fmaplestory.nexon.com hangame.com happymoney.co.kr heroes.nexon.com id.hangame.com itembay.com itemmania.com kr.battle.net lcs.mezzo.hangame.com login.nexon.com maplestory.nexon.com netmarble.net nexon.com plaync.co.kr pmang.com poker.hangame.com samwinfo.capogames.net teencash.co.kr tera.hangame.com yulgang.mgame.com
Banking websites: bank.cu.co.kr banking.nonghyup.com epostbank.go.kr ibk.co.kr kbstar.com keb.co.kr shinhan.com wooribank.com
Analysis by Carmen LiangLast update 08 September 2019
