Follow:

You have been re-routed to the PWS:Win32/Sacanph.A write up because PWS%3aWin32%2fSacanph.A has been renamed to PWS:Win32/Sacanph.A
 

PWS:Win32/Sacanph.A


PWS:Win32/Sacanph.A is a trojan that steals URL history and user information from certain applications. It also modifies the Hosts file to prevent access to certain websites.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

This malware may make modifications to your Hosts file. To recreate a clean Hosts file, refer to the following article:
http://support.microsoft.com/kb/972034

Threat behavior

PWS:Win32/Sacanph.A is a trojan that steals URL history and user information from certain applications. It also modifies the Hosts file to prevent access to certain websites.

Installation

PWS:Win32/Sacanph.A drops a copy of itself as the following file:

  • %AppData%\wintemp\csrss.exe

Note that a legitimate Windows file named csrss.exe exists by default in the Windows system folder.

It quits running if it detects that certain debugging applications are running.

Payload

Modifies the Hosts file
PWS:Win32/Sacanph.A modifies the Hosts file to prevent access to certain websites. It adds the following lines:

127.0.0.1 www.virustotal.com
127.0.0.1 http://virusscan.jotti.org/de

Connects to a remote server

PWS:Win32/Sacanph.A connects to the server blaaaaaaaah.1x.de via port 80.

Steals user information
PWS:Win32/Sacanph.A steals URL history and user information from the following programs:

  • COREFTP
  • Emule
  • FileZilla
  • ICQ
  • Miranda
  • SmartFTP
  • Trillian
  • Windows Live Messenger

 Analysis by Jaime Wong


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %AppData%\wintemp\csrss.exe
  • The following lines have been added to your Hosts file:
    127.0.0.1 www.virustotal.com
    127.0.0.1 http://virusscan.jotti.org/de

Prevention


Alert level: Severe
First detected by definition: 1.105.278.0
Latest detected by definition: 1.185.468.0 and higher
First detected on: May 23, 2011
This entry was first published on: May 23, 2011
This entry was updated on: Jun 14, 2011

This threat is also detected as:
  • TROJ_SPNR.07FC11 (Trend Micro)