Virus Profile: PWS-CuteMoon

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 11/2/2009
Date Added: 11/2/2009
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Password Stealer
DAT Required: 5791
Removal Instructions
   
 
 
   

Description

This description is for a password stealing malware, which attempts to steal user information and post them to a pre defined site.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Indication of Infection

Presence of files and registry entries mentioned earlier.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Aliases

Trj/CI.A [Panda], Trojan-Downloader.Win32.FakeRean [Sunbelt], TrojWare.Win32.PSW.LdPinch.Gen [Comodo], Win32/TrojanDropper.Agent.OKG [Nod32]
   

Virus Characteristics


-- Update November 2, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://blog.threatexpert.com/2009/11/new-moon-trojan.html

--

When executed, this malware displays an erotic image to distract the user, and then drops the following files:

  • %Windir%\exploree.exe [Detected as PWS-CuteMoon]
  • %Windir%\svcoost.exe [Detected as PWS-CuteMoon]
  • %System%\154.bat [Non malicious batch file]

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt

It then modifies the host file located in "C:\Windows\System32\drivers\etc\hosts" with the following URL to IP mappings:

  • 95.168.163.129 www.vkontakte.ru
  • 95.168.163.129 vkontakte.ru
  • 95.168.163.129 www.odnoklassniki.ru
  • 95.168.163.129 odnoklassniki.ru

This is done to ensure that any attempts to connect to the above legitimate russian social networking sites, will be redirected to the malicious IP address instead.

The trojan then attempt to collect system information and other password related information on the victim's machine. The collected information is then uploaded to a "Cute News" service hosted by the attackers at http://www.newmoon-[Removed].net.

   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations