Home / malwarePDF  

PWS:Win32/Stealer.M


First posted on 28 May 2009.
Source: SecurityHome

Aliases :

PWS:Win32/Stealer.M is also known as Also Known As:VirTool:Win32/VBInject.gen!U (Microsoft), Win-Trojan/VBInject.53248 (AhnLab), Trojan-Dropper.Win32.Pincher.tl (Kaspersky), W32/Smalldoor.DWOX (Norman), Troj/VB-EBX (Sophos), BackDoor-DVL (McAfee).

Explanation :

PWS:Win32/Stealer.M is a trojan that steals sensitive information, such as passwords and usernames for messaging and browsing applications, from an affected machine.

Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.

PWS:Win32/Stealer.M is a trojan that steals sensitive information, such as passwords and usernames for messaging and browsing applications, from an affected machine.

Installation
PWS:Win32/Stealer.M does not copy itself to the local machine, nor does it modify the registry to execute itself at Windows start. This trojan runs from where it is first executed, and is most likely installed or run by other malware that has previously compromised the affected machine.

Payload
Steals sensitive informationPWS:Win32/Stealer.M attempts to steal passwords and usernames from the following applications: Firefox 2
Firefox 3
Google Talk
Internet Explorer 6
Internet Explorer 7
Messenger Live
Msn Messenger
No-Ip
Outlook
Pidgin
Steam
Trillian It writes captured data in HTML format to a file in the temp directory called u16event.html. It then connects to an FTP server and uploads the HTML file to it. It may use the machine name of the local affected machine in the name of the uploaded file. When this process is complete, it deletes the file from the temp folder and quits. PWS:Win32/Stealer.M can gather multiple URLs/usernames/passwords for each of these programs.

Analysis by Hamish O'Dea

Last update 28 May 2009

 

TOP