Trojan-PSW.Win32.Widget

Class Trojan-PSW
Platform Win32
Description

Technical Details

This is a password and WebMoney information stealing Trojan program with
the abilitiy to download its “upgrades” from Internet Web sites and replace
itself with its new versions. The Trojan was implemented into freeware
games packages and was distributed in this way in May 2001.

Because the Trojan can “upgrade” itself from Internet Web sites, the
information below may not be completely correct for as yet unknown Trojan
versions.

Installation

When the Trojan is run, it copies itself to the Windows system directory with
the TASKSVR32.EXE name and registers itself in the registry auto-run key:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Microsoft Task Manager = tasksvr32.exe

If an error occures while creating that key (current user has no access to
HKLM keys), the Trojan registers itself in the HKCU key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Microsoft Task Manager = tasksvr32.exe

The Trojan then creates the DLL file-helper
COOLX.DLL in the Windows system directory. The original Trojan file (from which the Trojan started) is then
deleted.

The Trojan also creates more registry keys and writes hexadecimal
values there:

HKCUSoftwareMicrosoftDirectX
DRMInstallFocus = %hex valie% ; these four keys are
DRMInstallPlace = %hex valie% ; system time when trojan
DRMUpdateFocus = %hex valie% ; installs itself
DRMUpdatePlace = %hex valie% ; to the system
DRMVersion = %hex valie% ; trojan version

The Trojan then stays in the Windows memory as a hidden service process and is
active until Windows restart.

Stolen Information

The Trojan sends its author the following information from an infected computer:

Computer name
User name
RegisteredOwner and RegisteredOrganization strings
Installed hardware information
Network resources with access mode
IP address
RAS information, Cached passwords
other Internet access logins and passwords
ICQ user information
WebMoney information and data files

Upgrading

Depending on several conditions, the Trojan obtains files from Internet sites,
downloads them to the Windows temporary directory with the RTTY32.EXE name and spawns
it. These files are the next Trojan versions, and they may have improved
functionality.

Known Trojan versions download files from the following pages:

sfavp.chat.ru/update
widpage.chat.ru/update

Other

Some known versions also:

  • overwrite the C:AUTOEXEC.BAT file with a “format C:” Trojan program.
  • run Internet Explorer and open one of the following pages:

    http://vrs.ru
    http://ebooks.vov.ru
    http://3w.ozonebooks.com

  • run DoS attack on http://www.ibm.com