Library
My library

+ Add to library

Profile

Trojan.PWS.Spy.19338

Added to the Dr.Web virus database: 2015-05-07

Virus description added:

SHA1: 1d5897759ee66047e1d4c6378a52079fac2303f5

A spyware Trojan that sends texts entered into the windows of various programs including accounting ones. It is distributed by Trojan.MulDrop6.44482 and launched directly in the computer’s memory without saving it on the disk in decrypted form. At that, the disk contains its encrypted copy. The Trojan’s main features:

  • Logs key presses
  • Sends information about the system to the server
  • Downloads and runs MZPE files (with and without saving them on disk)

The Trojan consists of several modules. Every module uses its own ID, NAME, and TITLE parameters and sending data format. All information received from the modules is stored in one data array that begins with the following structure:

struct st_mod
{
  _BYTE garbage[20];
  _DWORD all_mod_data_size;
  _DWORD dword18;
  _DWORD index;
  _BYTE hash[16];
};

The following fields are appended with values:

  • all_mod_data_size—a total size of all the array’s components;
  • index—number of all the array’s components;
  • hash—MD5 hash of the array data. It is used to control integrity when sending information from the client to the server.

During the array data transferring from the server, the first 20 bytes (the garbage field) are replaced with random values.

The rest of the array’s elements looks as follows:

struct st_mod_data
{
  _DWORD element_id;
  _DWORD magic;  
  _DWORD size;
  _DWORD size_;
  _BYTE data[];
};

The st_mod_data structure is used for all information placed into one common array. At that, the information can also be added in accordance with data format. The element_id element determines data type and its format in this structure:

element_idValue
10001ID of the infected computer
10002Name of the botnet (presumably)
10003Incorporated value 0x1000002
10005Incorporated value 0x00
10007Header of the module
10008Unknown parameter. It is not used in this sample.
10009Date of data generation by the module
10010Timestamp that corresponds the moment of data generation by the module
10011Current time in UTC
10012System information represented as the following structure:
struct st_osinfo
{
  _BYTE OsVersion;
  _BYTE ServicePackMajor;
  _WORD BuildNumber;
  _WORD ProcArch;
};
10013Default system language
10014Module’s name
10016List of the computer’s IPv4 addresses
10017List of the computer’s IPv6 addresses
10018Module’s ID
10019Data generated by the module

Modules create the st_modinfo structure that is then transformed into the structure set named st_mod_data.

struct st_modinfo
{
  char *name;
  _DWORD ts;
  SYSTEMTIME time;
  _DWORD title;
  _DWORD data;
  _DWORD data_size;
  _DWORD elem10008;
  _DWORD id;
};

The data array is saved to %APPDATA%\Roaming\ntuser.dat in encrypted form (RC4+XOR).

All information sent by Trojan.PWS.Spy.19338 to the server is encrypted first with the RC4 algorithm and then—with XOR.

To log key strokes and contents of the clipboard, the Trojan creates a window class named randomly. The log with received data is saved to "%APPDATA%\Roaming\adobe\system.log”. Besides, the Trojan created a timer in order to send log records to the server every minute. To get data from the clipboard, the spyware uses the WINAPI SetClipboardViewer() function to register its window in clipboard viewer chain. The Trojan manages to intercept key stokes after it registers its own input processor. It checks whether the name of the input window corresponds to the following masks. Otherwise, key strokes are nor logged.

*\\Skype.exe
*\\WINWORD.EXE
*\\1cv8.exe
*\\1cv7s.exe
*\\1cv7.exe
*\\EXCEL.EXE
*\\msimn.exe
*\\thunderbird.exe
*\\sbis.exe
*\\OUTLOOK.EXE

The window’s header and the process’s name are also logged and have the following format:

\r\n[WND: |%s|]\r\n
[PRC: |%s|]\r\n

During logging of the clipboard content, data is placed between the markers:

[clp bgn]\r\n
\r\n[clp end]\r\n

All the logged information is encrypted with XOR.

In addition, every 3 minutes, the Trojan collects information about connected devices for Smart Card use and generates the st_mod_info structure.

A separate module collects information about the system and saves it into the following structure:

struct st_dummy_info
{
  _BYTE IsAdmin;
  _BYTE MajorVer;
  _BYTE MinorVer;
  _BYTE ProductType;
};

The Trojan can download and run MZPE files using two methods:

  • If the buffer has the 0x5A4D signature at zero offset, the file is saved to %TEMP% and is then executed.
  • If the buffer has the 0x444C signature at zero offset, the file is executed without saving it on the disk.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android