Follow:

You have been re-routed to the PWS:MSIL/Petun.A write up because PWS%3aMSIL%2fPetun.A has been renamed to PWS:MSIL/Petun.A
 

PWS:MSIL/Petun.A


PWS:MSIL/Petun.A is a trojan that steals information from the affected computer. The information is then sent to a remote attacker via email or uploaded to an FTP server. PWS:MSIL/Petun.A is also capable of changing certain computer settings.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Enabling the command prompt

This threat may disable the command prompt, which further prevents you from reversing its other computer changes. To enable the command prompt, follow these instructions:

  1. Using an administrator account, open the Group Policy Object Editor. To do this, go to Start and in the search box, type gpedit.msc.
  2. The Group Policy Object Editor should open. Go to Local Computer Policy>User Configuration>Administrative Templates>System and select Prevent access to the command prompt:
  3. Double-click on Prevent access to the command prompt and select Enable:
  4. Press OK and exit the Local Group Policy Editor.
Additional remediation instructions for PWS:MSIL/Petun.A

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:

Threat behavior

PWS:MSIL/Petun.A is a trojan that steals information from the affected computer. The information is then sent to a remote attacker via email or uploaded to an FTP server. PWS:MSIL/Petun.A is also capable of changing certain computer settings.

Installation

When run, PWS:MSIL/Petun.A attempts to copy itself to the computer using a specific file name. In the wild, it has been known to use the following names:

  • svchost.exe
  • rsddoser.exe

Depending on several configurable settings, PWS:MSIL/Petun.A may send a message to a remote attacker via email or FTP of successful infection of the computer.

It also adds entries to the system registry so that it automatically executes its copy every time Windows starts, for example:

In subkeys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: "%AppData%\rsddoser.exe

Payload

Modifies system settings
PWS:MSIL/Petun.A modifies the system registry to modify the following settings:

  • Disables Task Manager:
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    Sets value: "DisableTaskMgr"
    With data: "1"
  • Removes the "Run" command from the Start menu:
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Sets value: "NoRun"
    With data: "1"
  • Removes shortcut menus from the desktop and from Windows Explorer:
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Sets value: "NoViewContextMenu"
    With data: "1"
  • Disables the command prompt and prevents the computer from running batch files:
    In subkey: HKCU\Software\Policies\Microsoft\Windows\System
    Sets value: "DisableCMD"
    With data: "2"

It also disables Least-privilege User Account (LUA), ensuring that the user is not prompted if the malware attempts to execute malicious commands. It also attempts to terminate Task Manager if it runs.

Clears Internet History
PWS:MSIL/Petun.A may run the following commands:

Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
Rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

These commands clear Internet history.

Steals information
PWS:MSIL/Petun.A may log keystrokes as well as steal the following system information:

  • Computer Name
  • User name
  • Operating system version
  • Windows serial key
  • Available physical memory
  • Available virtual memory
  • System folder
  • Current time

The gathered information is then sent to a remote attacker either via email or uploaded to an FTP server.

Analysis by Dan Kurc


Prevention


Alert level: Severe
First detected by definition: 1.97.840.0
Latest detected by definition: 1.177.2299.0 and higher
First detected on: Feb 01, 2011
This entry was first published on: Feb 02, 2011
This entry was updated on: Jun 14, 2011

This threat is also detected as:
  • Trojan.MSIL.Petun.a (Kaspersky)
  • Mal/MSIL-BA (Sophos)