PWS:Win32/Sukwidon.A is a password stealer trojan that is dropped by malicious Microsoft Office documents detected as Exploit:Win32/CVE-2009-3129 and Exploit:Win32/CVE-2010-3333.
Installation
PWS:Win32/Sukwidon.A may arrive as a payload of malicious Microsoft Excel or Microsoft Word documents. It has been observed to be dropped in computers affected by the following vulnerabilities:
It is usually dropped in the Temporary Files folder with a random file name. When run, it drops a copy of itself as the following:
-
%APPDATA%\Microsoft\<folder>\<file name>
where <folder> may be "crypt" or "mediaplayer", and <file name> may be "service.exe" or "cryptmodule.exe".
It also drops several shortcut files that points to its dropped file, for example:
-
<startup folder>\imitateapps.cmd.lnk
-
<startup folder>\adobe reader speed launch.lnk
-
<startup folder>\adobe reader synchronizer.lnk
Note:<startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
Payload
Steals user names and passwords
PWS:Win32/Sukwidon.A injects code into "explorer.exe" that steals user names and passwords from one or more of the following applications:
-
Internet Explorer
-
Mozilla Firefox
-
Qualcomm Eudora
-
The Bat!
-
Becky! Internet Mail
The collected user names and passwords are then encrypted with both AES (Advanced Encryption Standard) and RSA 1024-bit before they are sent to the following email addresses:
-
dr.house@wind0ws.kz
-
lisa.cuddy@wind0ws.kz
-
andre.agacy@wind0ws.kz
Connects to certain servers
PWS:Win32/Sukwidon.A attempts to contact the following servers:
-
win<removed>ous.kz
-
mic<removed>osofi.org
-
70.<removed>5.221.10
Analysis by Rex Plantado
