Home / malwarePDF  

PWS:MSIL/Petun.A


First posted on 26 November 2019.
Source: Microsoft

Aliases :

PWS:MSIL/Petun.A is also known as Trojan.MSIL.Petun.a, Mal/MSIL-BA.

Explanation :

PWS:MSIL/Petun.A is a trojan that steals information from the affected computer. The information is then sent to a remote attacker via email or uploaded to an FTP server. PWS:MSIL/Petun.A is also capable of changing certain computer settings.

Installation

When run, PWS:MSIL/Petun.A attempts to copy itself to the computer using a specific file name. In the wild, it has been known to use the following names:

svchost.exe rsddoser.exe

Depending on several configurable settings, PWS:MSIL/Petun.A may send a message to a remote attacker via email or FTP of successful infection of the computer.

It also adds entries to the system registry so that it automatically executes its copy every time Windows starts, for example:

In subkeys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "(default)"
With data: "%AppData%
sddoser.exe

Payload

Modifies system settings
PWS:MSIL/Petun.A modifies the system registry to modify the following settings:

Disables Task Manager:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
Sets value: "DisableTaskMgr"
With data: "1" Removes the "Run" command from the Start menu:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
Sets value: "NoRun"
With data: "1" Removes shortcut menus from the desktop and from Windows Explorer:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
Sets value: "NoViewContextMenu"
With data: "1" Disables the command prompt and prevents the computer from running batch files:
In subkey: HKCUSoftwarePoliciesMicrosoftWindowsSystem
Sets value: "DisableCMD"
With data: "2"

It also disables Least-privilege User Account (LUA), ensuring that the user is not prompted if the malware attempts to execute malicious commands. It also attempts to terminate Task Manager if it runs.

Clears Internet History
PWS:MSIL/Petun.A may run the following commands:

Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

These commands clear Internet history.

Steals information
PWS:MSIL/Petun.A may log keystrokes as well as steal the following system information:

Computer Name User name Operating system version Windows serial key Available physical memory Available virtual memory System folder Current time

The gathered information is then sent to a remote attacker either via email or uploaded to an FTP server.

Analysis by Dan Kurc

Last update 26 November 2019

 

TOP