Follow:

 

PWS:Win32/PWSteal.M


PWS:Win32/PWSteal.M is the detection for a trojan that drops several password-recovery tools in the computer. These tools collect user information, which may then be sent to a remote attacker.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

PWS:Win32/PWSteal.M is the detection for a trojan that drops several password-recovery tools in the computer.
Payload
Drops other files
PWS:Win32/PWSteal.M drops several password-recovery tools such as the following files:
 
 
These dropped files may collect user information for various accounts. The collected passwords are stored in the following files:
 
  • %Temp%\mspass.txt
  • %Temp%\ffpass.txt
  • %Temp%\fzpass.txt
  • %Temp%\iepass.txt
  • %Temp%\SteamPass.txt
  • %Temp%\passvoodoo.txt
 
PWS:Win32/PWSteal.M then attempts to send the information in these files to a remote attacker.
 
Modifies computer settings
PWS:Win32/PWSteal.M may prevent Windows Defender from displaying a warning. It may also close the Task Manager process.
 
Analysis by Andrei Florin Saygo

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    • %Temp%\iepv.exe
    • %Temp%\mspass.exe
    • %Temp%\passwordfox.exe
    • %Temp%\steampwd.exe
    • %Temp%\stpv.exe
    • %Temp%\vmdpmouch.exe
    • %Temp%\mspass.txt
    • %Temp%\ffpass.txt
    • %Temp%\fzpass.txt
    • %Temp%\iepass.txt
    • %Temp%\SteamPass.txt
    • %Temp%\passvoodoo.txt

Prevention


Alert level: Severe
First detected by definition: 1.89.417.0
Latest detected by definition: 1.89.417.0 and higher
First detected on: Aug 26, 2010
This entry was first published on: Aug 31, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trj/Autoit.gen (Panda)