PWS:Win32/Frethog.gen!L is a member of the W32/Frethog family of password-stealing trojans that target confidential data.
Installation
Upon execution, PWS:Win32/Frethog.gen!L drops a copy of itself as an EXE file in the Windows folder. Some of the file names it has been known to use are the following:
It then modifies the system registry to enable its dropped copy to automatically run every time Windows starts up, for example:
Adds value: "4u"
With data: "%windir%\servicea.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Steals Sensitive Information
PWS:Win32/Frethog.gen!L attempts to steal sensitive information, such as user names and passwords for online games, and send it to a remote server.
Drops Additional Malware
PWS:Win32/Frethog.gen!L is capable of dropping various additional malware into the system. Some of the files that samples of Frethog.gen!L have been known to drop are the detected as following:
It also drops files detected as rootkit malware, which hide the connection between the system and the remote server when Frethog.gen!L performs its password-stealing routine. The rootkit files are detected as the following:
Downloads Additional Malware
PWS:Win32/Frethog.gen!L may also connect to the website "om7890.com", possibly to download other malware.
Modifies System Security Settings
PWS:Win32/Frethog.gen!L may attempt to prevent AVP Antivirus from displaying notifications regarding system changes by closing windows associated with this software.
It also attempts to terminate the "ravmon.exe" process if it is found to be running in the system.
Analysis by Vitaly Zaytsev
