PWS:Win32/PWSteal.O is a trojan that is specifically used to capture personal information, such as user names and passwords, and then send that information to a remote attacker.
Installation
When executed, PWS:Win32/PWSteal.O copies itself to <system folder>\searchindexer.exe.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "SearchIndexer"
With data: "c:\windows\system32\searchindexer.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "SearchIndexer"
With data: "c:\windows\system32\searchindexer.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
Adds value: "SearchIndexer"
With data: "c:\windows\system32\searchindexer.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: "SearchIndexer"
With data: "c:\windows\system32\searchindexer.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: StubPath
With data: "c:\windows\system32\searchindexer.exe"
To subkey: hklm\software\microsoft\active setup\installed components\{in0p5jh2-5k1p-elif-y74o-782tw8y37t18}
The malware creates the following files on an affected computer:
-
c:\documents and settings\administrator\application data\administratorlog.dat
-
c:\documents and settings\administrator\local settings\temp\administrator2.txt
-
c:\documents and settings\administrator\local settings\temp\administrator7
-
c:\documents and settings\administrator\local settings\temp\administrator8
-
The malware utilizes code injection in order to hinder detection and removal. When PWS:Win32/PWSteal.O executes, it may inject code into running processes, including the following, for example:
Payload
Contacts remote host
PWS:Win32/PWSteal.O may contact a remote host at agnieszkabus.zapto.org using port 101. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 7af413f567877831ec97851061521b0abc336f7b.
