PWS:Win32/Witkinat.A is a trojan that monitor Internet traffic and opens websites depending on certain keywords that are in the address bar. It may also connect to remote servers to download arbitrary files and/or upload information about the infected computer.
Installation
PWS:Win32/Witkinat.A drops the following components:
- <system folder>\0047.dll
- <system folder>\wexe.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It adds the following registry entry to ensure that its component automatically runs every time Windows starts:
Adds value: "AppInit_DLLs"
With data: "<system folder>\0047.dll"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
It also creates the following registry entry as part of its installation routine:
Adds value: "DEPOff"
With data: "1"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main
PWS:Win32/Witkinat.A may also inject code into the following process:
Payload
Monitors Internet traffic and opens websites
PWS:Win32/Witkinat.A monitors Internet activities by injecting malicious code into the following browser processes:
It monitors Internet activity when the following keywords are present in the address bar:
&p=
&q=
&qkw=
&query=
&searchfor=
&text=
.aolcdn.
.arfie.
.atdmt.
.doubleclick.
.live.
.lygo.
.microsoft.
.msn.
.revsci.
.wikipedia.org
/complete/search?
/image/results?
/news/results?
/videosearch?
/Web/
?p=
?q=
?qkw=
?query=
?searchfor=
?text=
addthis.com
advertising.
alltheweb.
altavista.
analytics.com
api.bing.
ask.com
askcache.
bing.
blogsearch.google
cache?
captionHandler.a
cat=img
cnn.
dogpile.
everesttech.net
excite.
facebook.
ftp:
google.
google.search.
googleads.
groups.google
gstatic.
hotbot.
https:
images?
imdb.
imgfarm.
infospace.com
infospaceinc.
lycos.
metacrawler.
mtv.
myspace.
mywebsearch.
othersonline.
pandora.
sa.aol.
search.aol.
search.com
search.com
search.netscape.
search.yahoo.
ss.ask.
suggest
translate.google
translate.google
twitter.
ubox.info
webcrawler.
wzus1.
wzus2.
yimg.
youtube.
ytfeed
It may open a website from the following list, depending on which keyword it matches:
007investigators.com
070korea.com
1-on-2-sex.com
1insure.com
3deeprinters.com
4homeex.com
4onlinedating.com
4outlook.com
5qx.com
7q11.com
862268.com
97goto.info
a-z-accessories.com
a-z-herbs.com
abcarcadee.com
acornmail.com
addictedtotraffic.com
after-sport.com
alcoholetanol.com
all4pluslarowed.com
alphawebhost.com
americansgames.com
arabia.info
ashevillenorthcarolinahotels.com
auctionscomplete.com
avatarbooks.com
aylwin.com
bagpipr.com
bague-solitaire.com
bakingbread.net
basicadnetwork.com
bassanoveneto.com
beefupsecurity.com
befreite-tiere.org
belizecondotels.com
bethelmusiccenter.com
biscotto.com
bmovies.us
boderlinepersonalitydisorder.org
body-reference.com
boligtorvet.com
brain-drain.info
brooklynbabystore.com
browsearuba.com
bubblebang.com
bugrobots.com
builttospillforum.com
bunnyshopping.com
buy-games.org cheese101.com
buyinganannuity.com
cabsfast.com
calmian.com
ccmrgo.org
certificadores.com
childernandfamilies.com
cityscooter.net
classifique.com
coliris.com
comera.net
comprocket.com
courriers.com
crunch-up.com
cubitandwest.com
cyclocrossframes.com
dailie.com
dartia.com
datreo.com
decelta.com
dermos.com
designairbags.com
digihiway.com
digitalconect.com
divisionoflabor.info
dlmj.com
dragtotop.info
drmaul.com
dtvdemand.org
dummy.biz
dunnfamily.com
eastdocu.com
edeno.com
eightrounds.com
elitemileage.com
energy-efficient-furnaces.com
estrecho.com
europeanexchangerates.com
eutours.net
eyemo.com
ezski.com
fafsa.info
fathersblog.com
featheroffice.com
fibrasol.com
financetel.com
finewear.com
finlandguide.info
fivedimensional.com
flashing.us
foiy.com
foreclosedbustour.com
francobolli.biz
freedvdplace.com
fuckdownload.com
fuzp.com
gainesville.us
gatefb.com
gaynudes.org
gcbids.com
gearworks.net
girlsofsydney.com
giver.net
gobiernosonline.com
golfgo.info
golfvacationhome.com
gordan.net
gray-horse.com
growbiznet.com
grupomassa.com
gtavicecitystoriescheats.com
guesthousefinder.com
guyfamily.com
hairconditions.com
highbonuspoker.com
hoeren.org
horodateurs.com
hotbrunettecollegegirls.com
hrpractitioner.com
hydromorphonehcilawsuits.com
ids-summit.com
ifreeproducts.com
ilikeforex.com
imagensexo.com
incfinancialservices.com
inphilippine.com
insuranceregistry.info
internetmoverlist.net
investorrelations.us
irwt.org
ixadea.com
jardin-fanzine.com
jewishpubs.com
jip.biz
johnmaster.com
jonandkateofftlc.com
jumpmobile.net
kuvos.com
ladybirdclothes.com
lastran.com
leadingedgemedicine.com
lentias.com
light3000.com
linkdollars.info
localadwhiz.com
lookingformarriedwomen.com
lorieonline.com
lovelypussies.com
lrdh.com
luxurycarworld.com
m1visa.com
machojobs.com
magazinediscountnetwork.com
majorcabesthotels.com
mchenrycountypublicrecords.org
mdraperrealty.com
medgarant.com
medical-records-search.com
melumo.net
metime.net
mibia.com
michigantrail.com
miracleradio.org sporgo.com
mitzvahkinder.com
mmaville.com
movies365.com
mushroomextract.info
mycooltattoos.com
mylady.info
mymartinlogan.com
n-3.info
naturalhang
newhitdrama.com
nochenegra.com
nowfile.com
nycdiscovers.com
nyshealthplan.com
oklahomafinance.net
oktoberfestfreunde.net
optimusbeauty.com
oregonoutdooradventures.com
ou-travailler.com
oveka.com
overcure.com
p-n-a.org
pakistanimusic.org
panhandlegroundwater.org
patchboards.com
pepstation.com
phonegods.com
piercingnipples.com
pointstory.com
portalmix.info
portlandsporthaus.com
powerture.com
printyourownshirts.com
privatejetairport.com
productosdechina.org
proprieteviticole.com
qqqn.net ubhotel.com
qubb.net
qvgu.com
qwesters.com
raoban.net
realcars.net
rededobanco.com
reducedtransfat.com
registrodemadrid.com
rentthisplane.com
reviewactors.com
roddler.com
rodib.com
rogerdeago.com
romaniaair.com
rsea.org
russiakasino.com
rvl.net
sale24.com
samplebay.com
sbsgame.com
scentiment.net
scriptbookers.com
selectingajob.com
sensitiveporn.com
sestex.com
sexualmasturbation.com
singleseatcar.com
skelmersdale.biz
smallbusinesssmiths.com
smart-grid.us
softrion.com
software-find.com
sohoartauctions.com
soloropainterior.com
sorap.com
sportbikestv.com
sportsbekleidung.com
stallionboards.com
stefanedberg.com
stillkill.com
storewindowdisplays.com
subordinating.com
suiteon.com
sultry.info
supremacy.us
tafeltjes.com
tahajod1429.info
tantem.com
tape-worm.com
teatreedirect.com
thebestskincreamproducts.com
therealestateagents.com
theringer.com
thevoicechoice.us
throwr.com
topandbottomshop.com
topxxxtraffic.com
touch-me.com
tvlh.com
ubox.info
uglygut.com
urfaliyiz.biz
urlifeonline.com
usafha.us
used-motorcycle--parts.com
v-p-t.com
videobuscador.com
videogamecheater.com
videorado.com
vitalgrounds.com
vosicky.com
voyeurtalk.com
w0r1d.com
wavelanguage.com
webtraining.biz
whatrecession.com
wireless-telephone.net
womanjail.com
worldcup10.org
xhau.com
xn--5dbamppt.com
xn--ekry3qr0ivk1b.com
xn--estticadental-dhb.com
xn--mgbug1ern.com
xxxeasyteen.com
yenjapan.com
youay.com
zipnetsearch.com
zufall.info
zuyong-che.net
Connects to remote servers
PWS:Win32/Witkinat.A connects to certain IP addresses; some of the addresses it is known to connect to are:
- 193.169.219.77
- 193.169.219.76
- 193.169.219.72
- 91.209.238.5
It may download arbitrary files from these or other addresses.
It may also send sensitive computer information to these remote servers, including the computer name.
Analysis by Francis Allan Tan Seng
