Threat behavior
PWS:Win32/Fireming.A.dll is the detection for a password-stealing trojan usually installed by other malware. It logs keystrokes and steals user credentials. Some samples may also have backdoor capabilities and act as spam email relays.
Installation
PWS:Win32/Fireming.A.dll may be installed by other malware that, in turn, arrive in a computer via spammed email messages.
Upon execution, PWS:Win32/Fireming.A.dll creates a copy of itself using a random file name in the Windows folder.
It registers its copy as a Browser Helper Object (BHO) by modifying the system registry. For example:
Creates subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{626fc520-a41e-11cf-a731-00a0c9082637}
Payload
Logs keystrokes
PWS:Win32/Fireming.A.dll monitors keystrokes, which it then logs into a .DAT file in the Windows folder. In the wild, the .DAT file has been known to use the following file names (note that the file name may vary from sample to sample):
Allows backdoor access and control
PWS:Win32/Fireming.A.dll may open a random port to listen for commands from a remote attacker.
Redirects traffic
PWS:Win32/Fireming.A.dll may act as a spam email relay and may redirect network traffic.
Steals user credentials
PWS:Win32/Fireming.A.dll monitors the following list of websites and IPs to steal the user's credentials:
163.com
4shared.com
about.com
adobe.com
amazon.co.jp
amazon.co.uk
amazon.com
amazon.de
ameblo.jp
aol.com
apple.com
bbc.co.uk
bing.com
cnet.com
cnn.com
cnzz.com
conduit.com
craigslist.org
doubleclick.com
ebay.co.uk
ebay.com
ebay.de
ehow.com
espn.go.com
facebook.com
fc2.com
filestube.com
flickr.com
globo.com
gmail.com
go.com
godaddy.com
google.ca
google.cn
google.co.id
google.co.in
google.co.jp
google.co.uk
google.com
google.de
google.es
google.fr
google.it
google.nl
google.pl
google.ru
hotfile.com
ifeng.com
imageshack.us
imdb.com
linkedin.com
live.com
livejournal.com
localhost
megaupload.com
megavideo.com
mixi.jp
mozilla.com
msn.com
myspace.com
netflix.com
nytimes.com
optmd.com
orkut.com
paypal.com
photobucket.com
pornhub.com
qq.com
rakuten.co.jp
redtube.com
renren.com
sogou.com
sohu.com
soso.com
tumblr.com
twitter.com
weather.com
wordpress.com
www.blogger.com
www.microsoft.com
www.nasa.gov
xhamster.com
xvideos.com
yahoo.com
yandex.ru
youku.com
youtube.com
zedo.com
It may then contact a remote webserver to send its stolen credentials and also report computer information, such as the Operating System, IP address, and MAC address.
Analysis by Patrik Vicol
Prevention
