Content
PWS-WinPatch
- Type
- Trojan
- SubType
- Password
- Discovery Date
- 05/30/2006
- Length
- Minimum DAT
- 4773 (05/30/2006)
- Updated DAT
- 4790 (06/21/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 05/30/2006
- Description Modified
- 05/30/2006 2:28 AM (PT)
Tab Navigation
Characteristics
-- Update May 29th, 2006 --
A recent spamming has been reported intended to download a password stealer which is detected as PWS-WinPatch from the following URL:
http://www.suburbanhomerecords.com/[Removed]/winlogon_patchV1.12.exe
The e-mail has a spoofed "from" field so it looks like it has been sent from patch@microsoft.com.
PWS-WinPatch was spammed on May 29th, 2006 using the following email format:
|
From: Microsoft [mailto:patch@microsoft.com] Microsoft Coorporation A new vulnerability has been discovered in the Microsoft WinLogon Service , that would allow an attacker to gain access to an unpached computer. Since your email is part of our private mail lists and your have succesfully registered your Microsoft Windows , you can download the patch to fix this vulnerability before others do. Please click the link below to download the patch and protect your computer against WinLogon attacks : http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe You are free to share this with all your friends and relatives that are using Microsoft Windows Operating System Thank you Microsoft Coorp. |
Symptoms
When executed, PWS-WinPatch displays the following bogus message:
Drops a copy of itself and its DLL component into the following folders:
- %WINDIR%\winlogon_patchV1.dll
- %WINDIR%\%SYSTEM%\winlogon_patchV1.12
Creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
{DEBEAC1B-2241-85E7-5FFE-A9213ED9497F}
"StubPath" = "%WINDIR%\%SYSTEM%\winlogon_patchV1.12"
Disables System Restore on WinXp machines by modifying the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice
"Start" = "04"
It then injects its DLL component into explorer.exe and logs keystrokes and clipboard content into an encrypted text file.
%WINDIR%\%SYSTEM%\pjajp.nxy
Method of Infection
This trojan was mass spammed on May 29th, 2006.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
PWS-WinPatch is a trojan written in Borland Delphi that arrives in an email claiming to be a Microsoft patch for the Winlogon service. It contains functionality to log keystrokes and send this information to a remote address.
Aliases
- BeastPWS.C!tr (Fortinet)
- Troj/BeastPWS-C (Sophos)
- Trojan-Spy.Win32.Delf.jq (Kaspersky)
- Trojan.BeastPWS.C (BitDefender)
- TrojanSpy.Winpatch.B (VirusBuster)
- Win32/Spy.Delf.NBR (ESET)
Characteristics
Characteristics -
-- Update May 29th, 2006 --
A recent spamming has been reported intended to download a password stealer which is detected as PWS-WinPatch from the following URL:
http://www.suburbanhomerecords.com/[Removed]/winlogon_patchV1.12.exe
The e-mail has a spoofed "from" field so it looks like it has been sent from patch@microsoft.com.
PWS-WinPatch was spammed on May 29th, 2006 using the following email format:
|
From: Microsoft [mailto:patch@microsoft.com] Microsoft Coorporation A new vulnerability has been discovered in the Microsoft WinLogon Service , that would allow an attacker to gain access to an unpached computer. Since your email is part of our private mail lists and your have succesfully registered your Microsoft Windows , you can download the patch to fix this vulnerability before others do. Please click the link below to download the patch and protect your computer against WinLogon attacks : http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe You are free to share this with all your friends and relatives that are using Microsoft Windows Operating System Thank you Microsoft Coorp. |
Symptoms
Symptoms -
When executed, PWS-WinPatch displays the following bogus message:
Drops a copy of itself and its DLL component into the following folders:
- %WINDIR%\winlogon_patchV1.dll
- %WINDIR%\%SYSTEM%\winlogon_patchV1.12
Creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
{DEBEAC1B-2241-85E7-5FFE-A9213ED9497F}
"StubPath" = "%WINDIR%\%SYSTEM%\winlogon_patchV1.12"
Disables System Restore on WinXp machines by modifying the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice
"Start" = "04"
It then injects its DLL component into explorer.exe and logs keystrokes and clipboard content into an encrypted text file.
%WINDIR%\%SYSTEM%\pjajp.nxy
Method of Infection
Method of Infection -
This trojan was mass spammed on May 29th, 2006.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
