|
|
Trojan.PSW.Widge Viruses Information
| Name: |
Trojan.PSW.Widge |
| Category: |
Viruses |
| Description:
|
Details
Trojan.PSW.Widget
This is a password and WebMoney information stealing Trojan program with the abilitiy to download its "upgrades" from Internet Web sites and replace itself with its new versions. The Trojan was implemented into freeware games packages and was distributed in this way in May 2001.
Because the Trojan can "upgrade" itself from Internet Web sites, the information below may not be completely correct for as yet unknown Trojan versions.
Installation
When the Trojan is run, it copies itself to the Windows system directory with the TASKSVR32.EXE name and registers itself in the registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Microsoft Task Manager = tasksvr32.exe
If an error occures while creating that key (current user has no access to HKLM keys), the Trojan registers itself in the HKCU key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Microsoft Task Manager = tasksvr32.exe
The Trojan then creates the DLL file-helper COOLX.DLL in the Windows system directory. The original Trojan file (from which the Trojan started) is then deleted.
The Trojan also creates more registry keys and writes hexadecimal values there:
HKCUSoftwareMicrosoftDirectX
DRMInstallFocus = %hex valie% ; these four keys are
DRMInstallPlace = %hex valie% ; system time when trojan
DRMUpdateFocus = %hex valie% ; installs itself
DRMUpdatePlace = %hex valie% ; to the system
DRMVersion = %hex valie% ; trojan version
The Trojan then stays in the Windows memory as a hidden service process and is active until Windows restart.
Stolen Information
The Trojan sends its author the following information from an infected computer:
Computer name
User name
RegisteredOwner and RegisteredOrganization strings
Installed hardware information
Network resources with access mode
IP address
RAS information, Cached passwords
other Internet access logins and passwords
ICQ user information
WebMoney information and data files
Upgrading
Depending on several conditions, the Trojan obtains files from Internet sites, downloads them to the Windows temporary directory with the RTTY32.EXE name and spawns it. These files are the next Trojan versions, and they may have improved functionality.
Known Trojan versions download files from the following pages:
sfavp.chat.ru/update
widpage.chat.ru/update
Other
Some known versions also:
overwrite the C:AUTOEXEC.BAT file with a "format C:" Trojan program.
run Internet Explorer and open one of the following pages:
http://vrs.ru
http://ebooks.vov.ru
http://3w.ozonebooks.com
run DoS attack on http://www.ibm.com |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
ASCh.79
3E.38
UKTC.76
BadBoy.1000.
Macro.Word97.Break.
I-Worm.MyLife.
ArjViru
FOG.AirRaid.173
Kbrflags.102
Jeff.81
|
|
