Follow:

You have been re-routed to the HackTool:Win32/Mailpassview write up because HackTool%253aWin32%252fMailpassview has been renamed to HackTool:Win32/Mailpassview
 

HackTool:Win32/Mailpassview


Microsoft security software detects and removes this threat.
 
This freeware tool can be used to display passwords for a number of email applications.
 
We have seen it being used by Trojan:Win32/Nedsym to steal passwords.


What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

HackTool:Win32/Mailpassview is a freeware tool that is used to display passwords for a number of email applications.
 
It has a graphical user interface (GUI), but can be run without being displayed to the affected user by utilizing command line switches to save the captured password information to various formats. It can show passwords for the following email applications:
 
  • Microsoft Outlook Express
  • Microsoft Outlook
  • Windows Mail
  • Windows Live Mail
  • IncrediMail
  • Eudora
  • Netscape 6.x/7.x
  • Mozilla Thunderbird
  • Yahoo! Mail
  • Hotmail/MSN mail
  • Gmail
A configuration file named <filename>.cfg is dropped in the folder the program runs from, f or example, Mailpv.exe would drop Mailpv.cfg.
An image of the tool is shown below:
 
 
In the wild, we have observed HackTool:Win32/Mailpassview being used by Trojan:Win32/Nedsym in order to steal passwords from affected users.
 
Analysis by Michael Johnson

Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Medium
First detected by definition: 1.45.287.0
Latest detected by definition: 1.183.606.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Dec 16, 2010
This entry was updated on: Aug 03, 2014

This threat is also detected as:
  • Win-AppCare/Agent.89088 (AhnLab)
  • W32/MalwareS.WQG (Command)
  • Gen2.BPVYO (Norman)
  • HackTool.Mailpassview!kmuIKt+KsCs (VirusBuster)
  • HackTool.IBI (AVG)
  • TR/Agent.89088.V (Avira)
  • Tool.PassView.13 (Dr.Web)
  • Win32/PSWTool.MailPassView.A (ESET)
  • PSWTool.Win32.Messen (Ikarus)
  • Trojan.Win32.Generic.5209991A (Rising AV)
  • NirSoft (Sophos)
  • PSWTool.Win32.MailPassView.as (Sunbelt Software)
  • MailPassView (Symantec)