PWS:Win32/Bividon.A.dll is a trojan component that captures logon credentials, user keystrokes and mouse operations and sends collected data to a remote server. The trojan attempts to stop security-related services, download configuration data files and updates from a remote server and may also report its presence in the system to a remote server.
Installation
PWS:Win32/Bividon.A.dll is installed by
PWS:Win32/Bividon.A. When run, PWS:Win32/Bividon.A may drop components as the following:
%APPDATA%\gusanito.exe - PWS:Win32/Bividon.A
%APPDATA%\<file name 1.dll> (e.g. "klg1.dll") - PWS:Win32/Bividon.A.dll
The registry is modified to execute the dropped trojan copy at each Windows start.
Adds value: "keylogger"
With data: "%APPDATA%\gusanito.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "keylogger"
With data: "%APPDATA%\gusanito.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The dropped executable (e.g. "gusanito.exe") is then executed.
Payload
Steals user credentials
PWS:Win32/Bividon.A launches an instance of the Web browser Internet Explorer (IE), and loads the payload component (e.g. %APPDATA%\klg1.dll) into the IE running process. PWS:Win32/Bividon.A.dll monitors the windows opened. If the window's title is one of following strings, it closes the current window and starts a new instance of IE to redirect to specific Web sites:
- Bienvenido a Bancanet Empresarial
- Welcome to Bancanet Empresarial
- HSBC MTxico * Conexi=n para Negocios
- Bancomer
- Empresarial Internet
- Bienvenido a Bancanet
The strings above are likely related to online banking. PWS:Win32/Bividon.A.dll monitors user key strokes and mouse operations, and reads input text from certain Web pages (for example, Hotmail e-mail messages) and logs them into a local file. In the wild, this trojan is observed to create the following log data file:
%APPDATA%>\ccxeeee.html
Sends and receives data to remote server
PWS:Win32/Bividon.A launches an instance of Notepad, and loads the helper component (e.g. "%APPDATA%\xoong3.dll") into the running "Notepad.exe" process. PWS:Win32/Bividon.A.dll retrieves configuration data from a remote server (for example "cmxpet.com"). This trojan may report its installation to a specified remote server, along with key strokes, mouse operations and text logs on the infected system.
Disables security-related software
PWS:Win32/Bividon.A.dll attempts to disable security software by restoring the system API hooks installed by the security software.
Analysis by Shawn Wang
