For Consumer

Threat Profile: PWCrack-Finder

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home N/A | Corporate N/A
Date Discovered: 6/20/2005
Date Added: 6/21/2005
Origin: Unknown
Length: Varies
Type: Program
Subtype: Malware Tool
DAT Required: 4519
Removal Instructions
   
 
 
   

Description

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Symptoms

N/A This is not a virus or trojan.

Method

N/A This is not a virus or trojan.
   

Virus Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a password "cracking" application that can be used to discover passwords stored on the host system.  It reads password data directly from memory in order to sidestep the normal obfuscation with asterisks or black dots.

A user interface is presented when launching the installer. No license agreement is shown, nor is any to be found on the author's homepage (www.svenbader.de)

Privacy

A privacy policy is not displayed during installation.

There are obviously significant privacy implications of having this software installed, especially if the system is public, connected to a local network, or otherwise used by more than one individual.

System Changes

General defaults for typical environment variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Files Added

  • Installer: password.exe (529 KB)
    MD5: 6419382C91BBF62C7EE49A5B1FC9E429
  • c:\program files\password-finder\unins000.exe (624 KB)
    MD5: 0B362DF2679B1626DE2646A6AAE6518A
  • c:\program files\password-finder\unins000.dat (2 KB)
  • c:\program files\password-finder\titel.gif (1 KB)
  • c:\program files\password-finder\pwfinder.exe (237 KB)
    MD5: A83E54F4DB42F4391E784F8D0EF022D0
  • c:\program files\password-finder\pwfinder.dll (5 KB)
    MD5: 675965E069A5F192F84DA65A8F833E82
  • c:\program files\password-finder\lupe.gif (2 KB)
  • c:\program files\password-finder\homepage.url (1 KB)
  • c:\program files\password-finder\hilfe.htm (2 KB)
  • c:\program files\password-finder\hilfe.gif (17 KB)
  • c:\program files\password-finder\amazon.gif (1 KB)
  • c:\documents and settings\all users\start menu\programs\password-finder\password-finder.lnk (1 KB)
  • c:\documents and settings\all users\start menu\programs\password-finder\homepage.lnk (1 KB)
  • c:\documents and settings\all users\start menu\programs\password-finder\hilfe.lnk (1 KB)
  • c:\documents and settings\administrator\desktop\password-finder.lnk (1 KB)

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "NoRepair"="1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "NoModify"="1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "QuietUninstallString"=""C:\Program Files\Password-Finder\unins000.exe" /SILENT"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "UninstallString"=""C:\Program Files\Password-Finder\unins000.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "DisplayName"="Password-Finder 2.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "Inno Setup: Deselected Tasks"=""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "Inno Setup: Selected Tasks"="desktopicon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "Inno Setup: User"="Administrator"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "Inno Setup: Icon Group"="Password-Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "InstallLocation"="C:\Program Files\Password-Finder\"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "Inno Setup: App Path"="C:\Program Files\Password-Finder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Password-Finder_is1
    "Inno Setup: Setup Version"="5.0.7"

Network Impact

No network communications resulting from the samples were evident during investigation of this software.