For Home

Virus Profile: Generic PWS.tr

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/25/2011
Date Added: 8/25/2011
Origin: N/A
Length: varies
Type: Trojan
Subtype: Win32
DAT Required: 6668
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases -

  • NOD32  - a variant of Win32/Agent.NJF
  • Ikarus  - Backdoor.Win32.Joanap
  • Microsoft - Backdoor:Win32/Joanap.A

Indication of Infection

Specific indications may vary between different password stealing trojans, but typically the trojan will hook system startup via a Registry key, or a modification to WIN.INI or SYSTEM.INI.

Methods of Infection

The trojan may be received from any of many sources. For example via email, IRC, P2P file-sharing network, newsgroup or download.
   

Virus Characteristics

------------Updated on June 14th 2012-------------------------------

Aliases -

  • Nod32 - a variant of Win32/Agent.NJF
  • Ikarus - Worm.Win32.Agent
  • Kaspersky - Worm.Win32.Agent.agq
  • Microsoft- Backdoor:Win32/Joanap.A

The DLL file has been dropped by a Trojan to steal the system information.

The trojans may steal various passwords from the victim machine, including:

  • local system username/password
  • domain username/password
  • MAPI username/password
  • AOL or MSN username/password
  • Passwords for other miscellaneous software (applications or games)

Typical methods to steal passwords from the victim machine include querying cached passwords, querying system Registry, targeting specific system files (e.g. PWL files on Win9x), faking login screen etc. etc. Once retrieved, the password(s) may be sent to the hacker in multiple ways: by mail, via HTTP (port 80), by FTP etc.

-----------------------------------------------------------------------------------

----------Updated on May 16th 2012 ---------------

Aliases

  • Nod32 - a variant of Win32/Agent.NJF
  • Ikarus - Backdoor.Win32.Joanap
  • Kaspersky - Worm.Win32.Agent.agq
  • Microsoft Backdoor-Win32/Joanap.A

The DLL file has been dropped by a Trojan to steal the system information.

Once executed the Trojan attempts to connect to the Administrator account on the remote machine. The Trojan uses the following passwords to brute force the account:

  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1q2w3e
  • 1q2w3e4r
  • aaa
  • abc
  • abc123
  • abcd
  • admin
  • admin123
  • admin!@#
  • administrator
  • administrador
  • asdf
  • asdfg
  • asdfgh
  • asdf123
  • asdf!23
  • baseball
  • backup
  • blank
  • cisco
  • compaq
  • control
  • computer
  • cookie123
  • database
  • dbpassword
  • default
  • dell
  • ftp
  • enable
  • fish
  • foobar
  • gateway
  • guest
  • god
  • golf
  • harley
  • home
  • iloveyou
  • internet
  • letmein
  • Login
  • login
  • love
  • manager
  • oracle
  • owner
  • pass
  • passwd
  • password
  • password1
  • password!
  • pwd
  • q1w2e3
  • q1w2e3r4
  • q1w2e3r4t5

The Trojan steals various passwords from the victim machine, including:

  • local system username/password
  • domain username/password
  • MAPI username/password
  • AOL or MSN username/password
  • Passwords for other miscellaneous software (applications or games)

Typical methods to steal passwords from the victim machine include querying cached passwords, querying system Registry, targeting specific system files (e.g. PWL files on Win9x), faking login screen etc. etc. Once retrieved, the password(s) may be sent to the following hacker mail address.

  • Misswang8107@gmail.com

-------------------------------------------------------------------------------

--Updated on Februrary 21, 2011--

Aliases –

  • AntiVir      - BDS/Joanap.A.8
  • NOD32     - a variant of Win32/Agent.NJF
  • Kaspersky  - Worm.Win32.Agent.agq
  • Symantec   - Backdoor.Trojan

Generic PWS.tr is a generic description for this Trojan which steals users sensitive information and sends it to the attacker.

It is a dropped content of the source file which is detected as “Generic BackDoor!dpp“

Once executed the Trojan attempts to connect to the Administrator account on the remote machine. The Trojan uses the following passwords to brute force the account:

  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1q2w3e
  • 1q2w3e4r
  • aaa
  • abc
  • abc123
  • abcd
  • admin
  • admin123
  • admin!@#
  • administrator
  • administrador
  • asdf
  • asdfg
  • asdfgh
  • asdf123
  • asdf!23
  • baseball
  • backup
  • blank
  • cisco
  • compaq
  • control
  • computer
  • cookie123
  • database
  • dbpassword
  • default
  • dell
  • ftp
  • enable
  • fish
  • foobar
  • gateway
  • guest
  • god
  • golf
  • harley
  • home
  • iloveyou
  • internet
  • letmein
  • Login
  • login
  • love
  • manager
  • oracle
  • owner
  • pass
  • passwd
  • password
  • password1
  • password!
  • pwd
  • q1w2e3
  • q1w2e3r4
  • q1w2e3r4t5

-------------------------------------------------------------------------------------

Upon execution the Trojan injects itself with explorer.exe and connects to the site mete[Removed] through a remote port 80.

Executes the following:

  • %System32%\cmd.exe /c d.bat "%Full path to virus%"
  • %System32%\svchost.exe -k Wmmvsvc
  • %System32%\svchost.exe -k SCardPrv

When executed, the Trojan creates the following files:

  • %Current directory%\d.bat
  • %System32%\KB25879.dat
  • %Temp%\wpad[1].dat
  • %System32%\scardprv.dll
  • %System32%\Wmmvsvc.dll
  • %System32%\mssscardprv.ax

The following registry values have been added:

  • [\SYSTEM\ControlSet001\Services\Wmmvsvc] 'Start' = '00000002'
  • [\SYSTEM\ControlSet001\Services\SCardPrv] 'Start' = '00000002'

Network activity:
Connects to:

  • [Removed IP]:80
  • wpad.localdomain:80
  • [Removed IP]:139
  • [Removed IP]:80
  • [Removed IP]:445
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).