| Malware name | Trojan.PSW.Online.cfd | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 68E8C119BD02960098965B8F1C92C545 | | Static file | yes | | Filesize | 110,031 Bytes | Alias names
(also known as) | | Webwasher Proactive | Win32.Malware.gen!82 | | McAfee | Generic PWS.ak |
| | Protection | | Webwasher Proactive | Database Version: 103 |
| | Side effects | - Downloads a malicious file
- Drops malicious files
- Registry modification
- Steals information
| | Propagation | Mapped network drives |
|
Description:
Files
It copies itself to the following locations:
• %SYSDIR%\kamsoft.exe
• C:\whi.com
It deletes the initially executed copy of itself.
The following files are created:
– C:\autorun.inf This is a non malicious text file with the following content:
•
%code that runs malware%– %SYSDIR%\drivers\klif.sys Further investigation pointed out that this file is malware, too. Detected as: Rootkit.Vanti.HP
– %SYSDIR%\gasretyw0.dll Further investigation pointed out that this file is malware, too. Detected as:
2350 It tries to download a file:
– The location is the following:
• http://zsde4.com/**********/help.rar
It is saved on the local hard drive under: %TEMPDIR%\help.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as:
3040 Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SYSTEM\ControlSet001\Services\KAVsys]
• Type=dword:00000001
• ErrorControl=dword:00000001
• Start=dword:00000001
• ImagePath="\??\%SYSDIR%\drivers\klif.sys"
File details
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
