Home / malware PWS:Win32/Axespec.A
First posted on 31 July 2010.
Source: SecurityHomeAliases :
PWS:Win32/Axespec.A is also known as W32/Trojan3.BVS (Authentium (Command)), Trojan.Win32.Oficla.bw (Kaspersky), Trojan.Cutwail.EGA (VirusBuster), Trojan horse SHeur3.AILU (AVG), TR/Drop.Agent.AAJ.1 (Avira), Trojan.Generic.4482967 (BitDefender), Trojan.Packed.20543 (Dr.Web), Win32/Agent.RDE (ESET), Trojan.Win32.Oficla (Ikarus), Trj/Downloader.MDW (Panda), Mal/FakeAV-BW (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software), TROJ_OFICLA.B (Trend Micro).
Explanation :
PWS:Win32/Axespec.A is a trojan that steals sensitive information from the infected computer and injects its code into various processes.
Top
PWS:Win32/Axespec.A is a trojan that steals sensitive information from the infected computer and injects its code into various processes. Installation Upon execution, PWS:Win32/Axespec.A copies itself to %SYSTEM%\svrwsc.exe and then sets the creation date to match that of %SYSTEM%\svchost.exe. Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. In order for %SYSTEM%\svrwsc.ex to execute at each Windows start, the trojan installs it as a service named €œSvrWsc€, using the display name €œWindows Security Center Service€ and description €œThe service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service€. The trojan attempts to inject code into all running processes, avoiding the following:Svchost.exe Explorer.exe Outlook.exe Msimn.exe Iexplore.exe Firefox.exe The trojan also creates the following registry entries to store information for its own use: Adds value: 'MSA' To subkey: HKLM\Software\Microsoft\DirectX Adds value: 'MSB' To subkey: HKLM\Software\Microsoft\DirectX Payload Steals sensitive information PWS:Win32/Axespec.A steals sensitive information from the infected system and posts it to a specific domain. The trojan steals sensitive information, such as any cookies stored in the users' Mozilla Firefox Profiles folder, as well as any documents saved in the MS Office temporary directory, and then saves this information to a log file that is then sent via a POST command to the domain €œmusiceng.ru€.
Analysis by Amir FoudaLast update 31 July 2010