Home / malware PWS:Win32/Daptdei.A
First posted on 12 March 2010.
Source: SecurityHomeAliases :
PWS:Win32/Daptdei.A is also known as Backdoor.Win32.Goolbot.g (Kaspersky), Win32/TrojanDownloader.Agent.PGQ (ESET), Generic BackDoor!bba (McAfee), Troj/Daptdei-A (Sophos), BKDR_Generic.DIT (Trend Micro).
Explanation :
PWS:Win32/Daptdei.A is a trojan that steals authentication credentials from an infected machine.
Top
PWS:Win32/Daptdei.A is a trojan that steals authentication credentials from an infected machine.
Installation
When executed the trojan copies itself to the following location:<system folder>\msxslt3.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It modifies the following registry entry to ensure its execution at each Windows start: Sets value: "MsXSLT"
With data: "<system folder>\msxslt3.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The trojan also injects code into the following processes:svchost.exe explorer.exe
Payload
Steals sensitive information The trojan listens to network traffic on an infected machine looking for usernames and passwords sent in clear text. If found, the details, including the server and authentication credentials, are posted to a remote host. We have observed the following hosts being contacted by PWS:Win32/Daptdei.A in this manner: rolstop.in klitar.cn cammaru.cn googlemaniya.cn analitikall.cn vipsocks.cn rebornendkit.cn kazirnayatema.cn xconture.cn analitikall.cn xmidnight.cn
Analysis by Ray RobertsLast update 12 March 2010