Home / malwarePDF  

PWS:Win32/Dexter.B


First posted on 01 November 2013.
Source: Microsoft

Aliases :

There are no other names known for PWS:Win32/Dexter.B.

Explanation :

Threat behavior

Installation

When run, this threat drops a copy of itself as the file:

%APPDATA% \<random folder>\<random file name>

Some examples are:

  • %APPDATA% \acxod\acxod.exe
  • %APPDATA% \fbebr\fbebr.exe


This threat also does the following registry changes so that its copy automatically runs every time Windows starts or you log in:

In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<GUID>" (for example, "33b6f3e0-78c3-4424-ad78-380bc05df421" or "7bf4c70e-c9b6-4e1a-b4ee-039529fc8e35"
With data: "%APPDATA%\<random folder>\<random file name>"

It also creates this entry as part of its installation routine:

In subkey: HKCU\Software\Resilience Software
Sets value: "Digit"
With data: "<GUID>", for example, "33b6f3e0-78c3-4424-ad78-380bc05df421"

Payload

Changes settings for high-risk file types

This threat sets EXE, BAT, REG, and VBS files, which are normally high-risk file types (malware often has one of these extensions), to low-risk file types:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Sets value: "LowRiskFileTypes"
With data: ".exe;.bat;.reg;.vbs;"

Steals credit card information

This threat steals the following information from Internet Explorer:

  • Track data (which is related to credit card data when you make online transactions)
  • Computer name for the PC
  • What version of Windows you have on your PC
  • What type of processor you have for your PC
  • What processes are currently running


It then sends this information to a hacker.

A hacker can also command this threat to do the following:

  • Update the threat version on your PC
  • Change the time delay between connecting to the hacker to send the stolen info
  • Change the time delay between searching your PC for sensitive data
  • Uninstall itself
  • Download and run files, which might be other threats


We've observed this threat to connect to the following servers to send the stolen data:

  • the server at 193.107.17.126
  • 11e2540739d7fbea1ab8f9aa7a107648.com
  • 7186343a80c6fa32811804d23765cda4.com
  • e7dce8e4671f8f03a040d08bb08ec07a.com
  • e7bc2d0fceee1bdfd691a80c783173b4.com
  • 815ad1c058df1b7ba9c0998e2aa8a7b4.com
  • 67b3dba8bc6778101892eb77249db32e.com
  • fabcaa97871555b68aa095335975e613.com




Analysis by Rex Plantado

Symptoms

The following could indicate that you have this threat on your PC:

  • You see this key in your registry:
    HKCU\Software\Resilience Software

Last update 01 November 2013

 

TOP

Malware :

Family: