For Home

Virus Profile: PWS-Gauss

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/10/2012
Date Added: 8/10/2012
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Password Stealer
DAT Required: 6800
Removal Instructions
   
 
 
   

Description

PWS-Gauss is a password stealing Trojan which attempts to steal system information and various credentials.

Indication of Infection

  • Presence of unexpected registry entries and aforementioned files.
  • Unexpected network connections.

Methods of Infection

Undetermined.
   

Virus Characteristics

PWS-Gauss is a malware toolkit for the purpose of data collection. Similar to Stuxnet and Flame, Gauss comprises of a multiple module framework that work together to carry out attacker functionality. Several modules seem to derive their names after famous mathematicians and hence the name Gauss.

Modules may include browser plugins, USB infections, Java Script and other ActiveX controls. The objective of Gauss is to collect several points of system information as well as credentials for email, domain accounts, social networks and banking information. Each module is designed to collect different types of data. The USB module in particular uses a previously-known exploit (CVE-2010-2568)  in a tactic similar to that used by the Stuxnet/Duqu worms.

PWS-Gauss modules may contain several components, including:

  • wmiqry32.ocx
  • smdk.ocx
  • lanhlp32.ocx
  • devwiz.ocx
  • dskapi.ocx
  • windig.ocx
  • winshell.ocx
  • mcdmn.ocx
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).