PWS:Win32/Axespec.D is a trojan that is specifically used to capture personal information, such as user names and passwords, and then send that information to a remote attacker.
Installation
When executed, PWS:Win32/Axespec.D copies itself to <system folder>\svrwsc.exe.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware creates the following files on an affected computer:
-
<system folder>\config\appevent.evt
-
<system folder>\config\sysevent.evt
-
c:\documents and settings\administrator\local settings\temp\low47d9.tmp.bat
The malware utilizes code injection in order to hinder detection and removal. When PWS:Win32/Axespec.D executes, it may inject code into running processes, including the following, for example:
- cmd.exe
- csrss.exe
- explorer.exe
- lsass.exe
- reader_sl.exe
- services.exe
- smss.exe
- svchost.exe
- winlogon.exe
- wmiprvse.exe
Spreads via…
Removable drives
PWS:Win32/Axespec.D copies itself to the following locations on removable drives:
- <targeted drive>:\dtochp\kuuzsb.exe
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer.
It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Removable and network drives
The malware copies itself to the following location on all accessible network or removable drives:
- <targeted drive>:\dtochp\kuuzsb.exe
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that When the drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer.
It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Payload
Contacts remote host
PWS:Win32/Axespec.D may contact a remote host at selinect.ru using port 80. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 049cec0e51bd5837b3ac81e41260bffda583a5f0.
