Home / malwarePDF  

PWS:Win32/Dyzap.H


First posted on 01 December 2014.
Source: Microsoft

Aliases :

There are no other names known for PWS:Win32/Dyzap.H.

Explanation :

Threat behavior

Installation

This threat can be downloaded onto your PC by Trojan:Win32/Upatre. We have seen it installed at the same time as Backdoor:Win32/Vawtrak.

It can inject code into the following process:

  • svchost.exe
  • explorer.exe


It installs a copy of itself to %LOCALAPPDATA% using a random file name, for example:

  • %LOCALAPPDATA% \PVkCwijhuFyeWgM.exe
  • %LOCALAPPDATA% \eernoslucmwlbkf.exe
  • %LOCALAPPDATA% \RoGcDtLaRXsFkGJ.exe
  • %LOCALAPPDATA% \bKQUEIQGBXBXegG.exe
  • %LOCALAPPDATA% \ovyTkDdYmItWSAm.exe
  • %LOCALAPPDATA% \WuQqLuYPKoePEXl.exe
  • %LOCALAPPDATA% \NJnUfhvHHAGshfy.exe


It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

We have seen the malware connect to the following URLs to check your PC location using Session Traversal Utilities for NAT (STUN):

  • numb.viagenie.ca
  • s1.taraba.net
  • s2.taraba.net
  • stun.2talk.co.nz
  • stun.callwithus.com
  • stun.ekiga.net
  • stun.faktortel.com.au
  • stun.ideasip.com
  • stun.internetcalls.com
  • stun.ipshka.com
  • stun.iptel.org
  • stun.l.google.com:19302
  • stun.noc.ams-ix.net
  • stun.phonepower.com
  • stun.rixtelecom.se
  • stun.schlund.de
  • stun.sipgate.net
  • stun.stunprotocol.org
  • stun.voip.aebc.com
  • stun.voiparound.com
  • stun.voipbuster.com
  • stun.voipstunt.com
  • stun.voxgratia.org
  • stun1.l.google.com:19302
  • stun1.voiceeclipse.net
  • stun2.l.google.com:19302
  • stun3.l.google.com:19302
  • stun4.l.google.com:19302
  • stunserver.org


Payload

Steals your sensitive information

This malware can inject code into your web browser to monitor your visits to banking websites. It can steal your sensitive information, such as your user names and passwords.

We have seen it send the stolen data to a machine with an IP address registered in Germany.



Analysis by Patrick Estavillo


Symptoms

Alerts from your security software might be the only symptom.

Last update 01 December 2014

 

TOP

Malware :

Family: