PWS:Win32/Bividon.A installs trojan components that capture logon credentials, user keystrokes and mouse operations, which are then sent to a remote server. The trojan components also attempt to stop security-related services, download configuration data files and update from a remote server. They may also report their presence on the system to the remote server.
Installation
PWS:Win32/Bividon.A may be installed by other malware or when a user inadvertently downloads and executes it via a malicious hyperlink. In the wild, this trojan may be distributed as a hyperlink within spammed e-mail messages sometimes posing as e-cards (electronic greeting cards). In some instances, the link appears as the following:
http://<domain and path>/gusanito.exe
The domain and path vary. When run, the trojan may drop components as the following:
%APPDATA%\gusanito.exe - PWS:Win32/Bividon.A
The registry is modified to execute the dropped trojan copy at each Windows start.
Adds value: "keylogger"
With data: "%APPDATA%\gusanito.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "keylogger"
With data: "%APPDATA%\gusanito.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The dropped executable (e.g. "gusanito.exe") is then executed.
Payload
Steals user credentials
PWS:Win32/Bividon.A launches an instance of the Web browser Internet Explorer (IE), and loads the payload component (e.g.
%APPDATA%\klg1.dll) into the IE running process.
PWS:Win32/Bividon.A.dll monitors the windows opened. If the window's title is one of following strings, it closes the current window and starts a new instance of IE, which redirects to specific Web sites:
- Bienvenido a Bancanet Empresarial
- Welcome to Bancanet Empresarial
- HSBC MTxico * Conexi=n para Negocios
- Bancomer
- Empresarial Internet
- Bienvenido a Bancanet
The strings above are likely related to online banking. PWS:Win32/Bividon.A.dll monitors user key strokes, mouse operations and reads input text from certain web pages (e.g. Hotmail e-mail messages) and logs them into a local file. In the wild, this trojan was observed to create the following log data file:
%APPDATA%>\ccxeeee.html
Sends and receives data to and from a remote server
PWS:Win32/Bividon.A launches an instance of Notepad, and loads the helper component (e.g. "%APPDATA%\xoong3.dll") into the running "Notepad.exe" process. PWS:Win32/Bividon.A.dll retrieves configuration data from a remote server (for example "cmxpet.com"). This trojan may report its installation to a specified remote server, along with key strokes, mouse operations and text logs on the infected system.
Disables security-related software
PWS:Win32/Bividon.A.dll attempts to disable security software by restoring the system API hooks installed by the security software.
Additional Information
PWS:Win32/Bividon.A monitors the presence of the processes where its payload components are injected. Once these processes are terminated, it reloads them.
PWS:Win32/Bividon.A may modify the registry by creating a "marker" for its own usage, as in the following example:
Add value: "first"
With data: "0" or "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion
Analysis by Shawn Wang & Patrick Nolan
