Pws-jo

**Anilrgowda** · 22-Jan-2007, 09:51 AM

Risk Assessment - Home Users: Low-Profiled - Corporate Users: Low-Profiled Date Discovered: 12/20/2006 Date Added: 12/21/2006 Origin: N/A Length: 116,224 bytes Type: Trojan SubType: Password Stealer DAT Required: 4924 Virus Family Statistics (over the past 30 days)

Virus Name Infected Files Scanned Files % Infected Computers

PWS-Johar 2 132,150 0.00

PWS-Johar.cfg 2 132,150 0.00

PWS-Johar.cli 0 0 0.00

PWS-Johar.dll 2 132,150 0.00

PWS-Johar.svr 2 132,150 0.00

W97M/PWS-Johar 2 132,150 0.00

X97M/PWS-Johar 2 132,150 0.00

Virus Characteristics

This trojan captures all keystrokes and saves them to the file %SysDir%\wmp.
It attempts to contact nsdf.no-ip.biz, however it appears the site is no longer accessible. If connected successfully it can download and execute arbitrary code, and also send back the saved log file containing recorded keystrokes.
System Changes
Registry Elements Added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2D0CCE2D-2EEF-4432-0503-020002010803}
"StubPath" = "C:\WINDOWS\System32\wmp.exe"
HKEY_USER\.DEFAULT\Software\Microsoft\esEvcBko*
"NmqrkcBE*" = (binary data)
(* may be a random sequence)

Files Added

C:\WINDOWS\system32\wmp. (no extension)
C:\WINDOWS\system32\wmp.exe

Indications of Infection

Presence of aforementioned files and registry keys.
The applications creates the following network connection(s):
- nsdf.no-ip.biz:80

Method of Infection

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system. Additionally many of these are mass spammed by the author to entice people into double-clicking on them. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction)

Removal Instructions

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations

Aliases

ESET : Win32/Elife.A, Microsoft : Win32/Scypex.A, Sophos: Troj/PWSkype-A, Symantec: Downloader

22-Jan-2007, 09:51 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	Pws-jo Risk Assessment - Home Users: Low-Profiled - Corporate Users: Low-Profiled Date Discovered: 12/20/2006 Date Added: 12/21/2006 Origin: N/A Length: 116,224 bytes Type: Trojan SubType: Password Stealer DAT Required: 4924 Virus Family Statistics (over the past 30 days) Virus Name Infected Files Scanned Files % Infected Computers PWS-Johar 2 132,150 0.00 PWS-Johar.cfg 2 132,150 0.00 PWS-Johar.cli 0 0 0.00 PWS-Johar.dll 2 132,150 0.00 PWS-Johar.svr 2 132,150 0.00 W97M/PWS-Johar 2 132,150 0.00 X97M/PWS-Johar 2 132,150 0.00 Virus Characteristics This trojan captures all keystrokes and saves them to the file %SysDir%\wmp. It attempts to contact nsdf.no-ip.biz, however it appears the site is no longer accessible. If connected successfully it can download and execute arbitrary code, and also send back the saved log file containing recorded keystrokes. System Changes Registry Elements Added HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2D0CCE2D-2EEF-4432-0503-020002010803} "StubPath" = "C:\WINDOWS\System32\wmp.exe" HKEY_USER\.DEFAULT\Software\Microsoft\esEvcBko* "NmqrkcBE" = (binary data) ( may be a random sequence) Files Added C:\WINDOWS\system32\wmp. (no extension) C:\WINDOWS\system32\wmp.exe Indications of Infection Presence of aforementioned files and registry keys. The applications creates the following network connection(s): nsdf.no-ip.biz:80 Method of Infection N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system. Additionally many of these are mass spammed by the author to entice people into double-clicking on them. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction) Removal Instructions AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations Aliases ESET : Win32/Elife.A, Microsoft : Win32/Scypex.A, Sophos: Troj/PWSkype-A, Symantec: Downloader

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)