Class
Trojan-PSW
Platform
Win32

Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan-PSW

Trojan-PSW programs are designed to steal user account information such as logins and passwords from infected computers. PSW is an acronym of Password Stealing Ware. When launched, a PSW Trojan searches system files which store a range of confidential data or the registry. If such data is found, the Trojan sends it to its “master.” Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data. Some such Trojans also steal registration information for certain software programs.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Technical Details

This is a password and WebMoney information stealing Trojan program with the abilitiy to download its "upgrades" from Internet Web sites and replace itself with its new versions. The Trojan was implemented into freeware games packages and was distributed in this way in May 2001.

Because the Trojan can "upgrade" itself from Internet Web sites, the information below may not be completely correct for as yet unknown Trojan versions.

Installation

When the Trojan is run, it copies itself to the Windows system directory with the TASKSVR32.EXE name and registers itself in the registry auto-run key:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun Microsoft Task Manager = tasksvr32.exe

If an error occures while creating that key (current user has no access to HKLM keys), the Trojan registers itself in the HKCU key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun Microsoft Task Manager = tasksvr32.exe

The Trojan then creates the DLL file-helper COOLX.DLL in the Windows system directory. The original Trojan file (from which the Trojan started) is then deleted.

The Trojan also creates more registry keys and writes hexadecimal values there:

HKCUSoftwareMicrosoftDirectX
DRMInstallFocus = %hex valie% ; these four keys are
DRMInstallPlace = %hex valie% ; system time when trojan
DRMUpdateFocus = %hex valie% ; installs itself
DRMUpdatePlace = %hex valie% ; to the system
DRMVersion = %hex valie% ; trojan version

The Trojan then stays in the Windows memory as a hidden service process and is active until Windows restart.

Stolen Information

The Trojan sends its author the following information from an infected computer:

Computer name
User name
RegisteredOwner and RegisteredOrganization strings
Installed hardware information
Network resources with access mode
IP address
RAS information, Cached passwords
other Internet access logins and passwords
ICQ user information
WebMoney information and data files

Upgrading

Depending on several conditions, the Trojan obtains files from Internet sites, downloads them to the Windows temporary directory with the RTTY32.EXE name and spawns it. These files are the next Trojan versions, and they may have improved functionality.

Known Trojan versions download files from the following pages:

sfavp.chat.ru/update
widpage.chat.ru/update

Other

Some known versions also:

  • overwrite the C:AUTOEXEC.BAT file with a "format C:" Trojan program.
  • run Internet Explorer and open one of the following pages:
    http://vrs.ru
    http://ebooks.vov.ru
    http://3w.ozonebooks.com
  • run DoS attack on http://www.ibm.com

    Read more

    Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

    Found an inaccuracy in the description of this vulnerability? Let us know!
  • Kaspersky Next
    Let’s go Next: redefine your business’s cybersecurity
    Learn more
    New Kaspersky!
    Your digital life deserves complete protection!
    Learn more
    Confirm changes?
    Your message has been sent successfully.