Home / malwarePDF  

Virus:Win32/Passma.A


First posted on 29 March 2010.
Source: SecurityHome

Aliases :

Virus:Win32/Passma.A is also known as Win32/Passma (AhnLab), W32/Worm.ECP (Authentium (Command)), Win32.Worm.Passma.A (BitDefender), Win32/Passma.D (CA), Worm.Win32.Passma (Kaspersky), W32/Passma.worm.f (McAfee), W32/Passma.B (Norman), W32/PassMail-C (Sophos), W32.Passma (Symantec), PE_PASSMA.B (Trend Micro), Win32.HLLP.Passma.A (VirusBuster).

Explanation :

Virus:Win32/Passma.A is a virus that infects Windows executables. The virus also attempts to capture and send sensitive information including password credentials to a remote attacker.
Top

Virus:Win32/Passma.A is a virus that infects Windows executables. The virus also attempts to capture and send sensitive information including password credentials to a remote attacker. InstallationThis virus is installed upon running an infected executable. When run, it drops a copy of the virus as the following file: <system folder>\SERVICEMGR.EXE The registry is modified to run the virus at each Windows start. Adds value: "Service Manager"With data: "<system folder>\SERVICEMGR.EXE"To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Spreads Via€¦ File infectionVirus:Win32/Passma.A infects Windows files with a file extension ".EXE" located on fixed drives and shared drives by appending its whole image to the host program. When an infected file is run, the virus code extracts and drops the host program as "<file name>.hwd" and then executes it. The virus later deletes the .HWD host file as a cleanup process. Payload Captures and distributes sensitive informationVirus:Win32/Passma.A logs the affected computer's information such as the following:

  • computer name
  • IP address
  • date
  • logged in user name
  • platform
  • operating system runtimes
  • name of currently executing infected file
  • Captured information is encrypted and stored in the following registry subkey:
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Time Zones\PM
  • The virus logs passwords associated with the following applications
  • WINZIP32 (Winzip)
  • YPAGER (Yahoo Messenger)
  • MSNMSGS/MSMSGS/MSNMSGR (MSN Messenger)
  • AOL (AOL Messenger)
  • BOL (Rediff Bol Messenger)
  • MPREXE (Windows Startup/Network Interface)
  • IEXPLORE (Microsoft Internet Explorer)
  • Gathered data will be sent to an attacker via an SMTP server named €œsmtp.indiatimes.com€.

    Analysis by Rodel Finones

    Last update 29 March 2010

     

    TOP

    Malware :