Home / malwarePDF  

PWS:Win32/Witkinat.A


First posted on 06 July 2010.
Source: SecurityHome

Aliases :

PWS:Win32/Witkinat.A is also known as W32/TrojanX.EKZK (Authentium (Command)), Trojan-Spy.Win32.Insain.adt (Kaspersky), Dropper.Generic2.TXX (AVG), TR/Dropper.Gen (Avira), Win32/Witkinat.R (ESET), Trojan-Spy.Win32.Insain (Ikarus), Trj/Downloader.MDW (Panda), Troj/Penser-Gen (Sophos), TROJ_PENSER.W (Trend Micro).

Explanation :

PWS:Win32/Witkinat.A is a trojan that monitor Internet traffic and opens websites depending on certain keywords that are in the address bar. It may also connect to remote servers to download arbitrary files and/or upload information about the infected computer.
Top

PWS:Win32/Witkinat.A is a trojan that monitor Internet traffic and opens websites depending on certain keywords that are in the address bar. It may also connect to remote servers to download arbitrary files and/or upload information about the infected computer. Installation PWS:Win32/Witkinat.A drops the following components:

  • <system folder>\0047.dll
  • <system folder>\wexe.exe
  • Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It adds the following registry entry to ensure that its component automatically runs every time Windows starts: Adds value: "AppInit_DLLs" With data: "<system folder>\0047.dll" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows It also creates the following registry entry as part of its installation routine: Adds value: "DEPOff" With data: "1" In subkey: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main PWS:Win32/Witkinat.A may also inject code into the following process:
  • winlogon.exe
  • Payload Monitors Internet traffic and opens websites PWS:Win32/Witkinat.A monitors Internet activities by injecting malicious code into the following browser processes:
  • firefox.exe
  • iexplore.exe
  • It monitors Internet activity when the following keywords are present in the address bar: &p= &q= &qkw= &query= &searchfor= &text= .aolcdn. .arfie. .atdmt. .doubleclick. .live. .lygo. .microsoft. .msn. .revsci. .wikipedia.org /complete/search? /image/results? /news/results? /videosearch? /Web/ ?p= ?q= ?qkw= ?query= ?searchfor= ?text= addthis.com advertising. alltheweb. altavista. analytics.com api.bing. ask.com askcache. bing. blogsearch.google cache? captionHandler.a cat=img cnn. dogpile. everesttech.net excite. facebook. ftp: google. google.search. googleads. groups.google gstatic. hotbot. https: images? imdb. imgfarm. infospace.com infospaceinc. lycos. metacrawler. mtv. myspace. mywebsearch. othersonline. pandora. sa.aol. search.aol. search.com search.com search.netscape. search.yahoo. ss.ask. suggest translate.google translate.google twitter. ubox.info webcrawler. wzus1. wzus2. yimg. youtube. ytfeed It may open a website from the following list, depending on which keyword it matches: 007investigators.com 070korea.com 1-on-2-sex.com 1insure.com 3deeprinters.com 4homeex.com 4onlinedating.com 4outlook.com 5qx.com 7q11.com 862268.com 97goto.info a-z-accessories.com a-z-herbs.com abcarcadee.com acornmail.com addictedtotraffic.com after-sport.com alcoholetanol.com all4pluslarowed.com alphawebhost.com americansgames.com arabia.info ashevillenorthcarolinahotels.com auctionscomplete.com avatarbooks.com aylwin.com bagpipr.com bague-solitaire.com bakingbread.net basicadnetwork.com bassanoveneto.com beefupsecurity.com befreite-tiere.org belizecondotels.com bethelmusiccenter.com biscotto.com bmovies.us boderlinepersonalitydisorder.org body-reference.com boligtorvet.com brain-drain.info brooklynbabystore.com browsearuba.com bubblebang.com bugrobots.com builttospillforum.com bunnyshopping.com buy-games.org cheese101.com buyinganannuity.com cabsfast.com calmian.com ccmrgo.org certificadores.com childernandfamilies.com cityscooter.net classifique.com coliris.com comera.net comprocket.com courriers.com crunch-up.com cubitandwest.com cyclocrossframes.com dailie.com dartia.com datreo.com decelta.com dermos.com designairbags.com digihiway.com digitalconect.com divisionoflabor.info dlmj.com dragtotop.info drmaul.com dtvdemand.org dummy.biz dunnfamily.com eastdocu.com edeno.com eightrounds.com elitemileage.com energy-efficient-furnaces.com estrecho.com europeanexchangerates.com eutours.net eyemo.com ezski.com fafsa.info fathersblog.com featheroffice.com fibrasol.com financetel.com finewear.com finlandguide.info fivedimensional.com flashing.us foiy.com foreclosedbustour.com francobolli.biz freedvdplace.com fuckdownload.com fuzp.com gainesville.us gatefb.com gaynudes.org gcbids.com gearworks.net girlsofsydney.com giver.net gobiernosonline.com golfgo.info golfvacationhome.com gordan.net gray-horse.com growbiznet.com grupomassa.com gtavicecitystoriescheats.com guesthousefinder.com guyfamily.com hairconditions.com highbonuspoker.com hoeren.org horodateurs.com hotbrunettecollegegirls.com hrpractitioner.com hydromorphonehcilawsuits.com ids-summit.com ifreeproducts.com ilikeforex.com imagensexo.com incfinancialservices.com inphilippine.com insuranceregistry.info internetmoverlist.net investorrelations.us irwt.org ixadea.com jardin-fanzine.com jewishpubs.com jip.biz johnmaster.com jonandkateofftlc.com jumpmobile.net kuvos.com ladybirdclothes.com lastran.com leadingedgemedicine.com lentias.com light3000.com linkdollars.info localadwhiz.com lookingformarriedwomen.com lorieonline.com lovelypussies.com lrdh.com luxurycarworld.com m1visa.com machojobs.com magazinediscountnetwork.com majorcabesthotels.com mchenrycountypublicrecords.org mdraperrealty.com medgarant.com medical-records-search.com melumo.net metime.net mibia.com michigantrail.com miracleradio.org sporgo.com mitzvahkinder.com mmaville.com movies365.com mushroomextract.info mycooltattoos.com mylady.info mymartinlogan.com n-3.info naturalhang newhitdrama.com nochenegra.com nowfile.com nycdiscovers.com nyshealthplan.com oklahomafinance.net oktoberfestfreunde.net optimusbeauty.com oregonoutdooradventures.com ou-travailler.com oveka.com overcure.com p-n-a.org pakistanimusic.org panhandlegroundwater.org patchboards.com pepstation.com phonegods.com piercingnipples.com pointstory.com portalmix.info portlandsporthaus.com powerture.com printyourownshirts.com privatejetairport.com productosdechina.org proprieteviticole.com qqqn.net ubhotel.com qubb.net qvgu.com qwesters.com raoban.net realcars.net rededobanco.com reducedtransfat.com registrodemadrid.com rentthisplane.com reviewactors.com roddler.com rodib.com rogerdeago.com romaniaair.com rsea.org russiakasino.com rvl.net sale24.com samplebay.com sbsgame.com scentiment.net scriptbookers.com selectingajob.com sensitiveporn.com sestex.com sexualmasturbation.com singleseatcar.com skelmersdale.biz smallbusinesssmiths.com smart-grid.us softrion.com software-find.com sohoartauctions.com soloropainterior.com sorap.com sportbikestv.com sportsbekleidung.com stallionboards.com stefanedberg.com stillkill.com storewindowdisplays.com subordinating.com suiteon.com sultry.info supremacy.us tafeltjes.com tahajod1429.info tantem.com tape-worm.com teatreedirect.com thebestskincreamproducts.com therealestateagents.com theringer.com thevoicechoice.us throwr.com topandbottomshop.com topxxxtraffic.com touch-me.com tvlh.com ubox.info uglygut.com urfaliyiz.biz urlifeonline.com usafha.us used-motorcycle--parts.com v-p-t.com videobuscador.com videogamecheater.com videorado.com vitalgrounds.com vosicky.com voyeurtalk.com w0r1d.com wavelanguage.com webtraining.biz whatrecession.com wireless-telephone.net womanjail.com worldcup10.org xhau.com xn--5dbamppt.com xn--ekry3qr0ivk1b.com xn--estticadental-dhb.com xn--mgbug1ern.com xxxeasyteen.com yenjapan.com youay.com zipnetsearch.com zufall.info zuyong-che.net Connects to remote servers PWS:Win32/Witkinat.A connects to certain IP addresses; some of the addresses it is known to connect to are:
  • 193.169.219.77
  • 193.169.219.76
  • 193.169.219.72
  • 91.209.238.5
  • It may download arbitrary files from these or other addresses. It may also send sensitive computer information to these remote servers, including the computer name.

    Analysis by Francis Allan Tan Seng

    Last update 06 July 2010

     

    TOP