PWS:Win32/Sacanph.A is a trojan that steals URL history and user information from certain applications. It also modifies the Hosts file to prevent access to certain websites.
PWS:Win32/Sacanph.A drops a copy of itself as the following file:
Note that a legitimate Windows file named csrss.exe exists by default in the Windows system folder.
It quits running if it detects that certain debugging applications are running.
Modifies the Hosts file
PWS:Win32/Sacanph.A modifies the Hosts file to prevent access to certain websites. It adds the following lines:
Connects to a remote server
PWS:Win32/Sacanph.A connects to the server blaaaaaaaah.1x.de via port 80.
Steals user information
PWS:Win32/Sacanph.A steals URL history and user information from the following programs:
- Windows Live Messenger
Analysis by Jaime Wong
The following system changes may indicate the presence of this malware:
- The presence of the following files:
- The following lines have been added to your Hosts file: