Follow:

You have been re-routed to the PWS:Win32/Fignotok.A write up because PWS%3aWin32%2fFignotok.A has been renamed to PWS:Win32/Fignotok.A
 

PWS:Win32/Fignotok.A


PWS:Win32/Fignotok.A is a trojan that steals user names and passwords from particular applications, including from Instant Messaging (IM) programs.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

PWS:Win32/Fignotok.A is a trojan that steals user names and passwords from particular applications, including from Instant Messaging (IM) programs.
Installation
Upon execution, PWS:Win32/Fignotok.A may drop a copy of itself in the Windows Temporary Files folder. This copy uses a variety of file names.
 
It also checks if it is being debugged and if so, will not continue its routine.
Payload
Steals user names and passwords 
PWS:Win32/Fignotok.A attempts to steal stored user names and passwords from any of the following applications:
 
DynDns
FileZilla
Firefox
Google Talk
Internet Explorer
No-IP Dynamic Update Client (DUC)
Pidgin Instant Messenger
Steam
Trillian
 
This information is then sent to a remote attacker by being posted to several websites. In the wild we have observed data being posted to the following domains:
  • cummander.blackapplehost.com
  • mob.netau.net
  • quakeon.ueuo.com
 
Analysis by Elda Dimakiling

Symptoms

There are no obvious symptoms that indicate the presence of this malware on an affected machine.

Prevention


Alert level: Severe
First detected by definition: 1.63.118.0
Latest detected by definition: 1.179.3165.0 and higher
First detected on: Jul 23, 2009
This entry was first published on: Dec 22, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Win32.Buzus.cbjp (Kaspersky)
  • W32/Buzus.WZX (Norman)
  • Win32/Injector.ACE (ESET)
  • TSPY_DYBALOM.D (Trend Micro)