Home / malwarePDF  

Trojan:Win32/Fakegina.S


First posted on 23 October 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Fakegina.S is also known as TrojanSpy.Agent.YJBT (VirusBuster), Trojan horse PSW.Agent.AHQM (AVG), TR/Spy.Agent.BOU (Avira), Mal/FakeGina-A (Sophos).

Explanation :

Trojan:Win32/Fakegina.S is a trojan that is installed as a Microsoft Graphical Identification and Authentication (GINA) Dynamic Link Library file, and is used to log sensitive authentication information.
Top

Trojan:Win32/Fakegina.S is a trojan that is installed as a Microsoft Graphical Identification and Authentication (GINA) Dynamic Link Library file, and is used to log sensitive authentication information. Trojan:Win32/Fakegina.S is loaded into the Winlogon.exe process. It provides exports, which in turn call the original MSGINA.DLL functions. When WlxLoggedOutSAS - an export of the malware DLL - is called, Trojan:Win32/Fakegina.S writes the following information:

  • Time Stamp
  • Username
  • Domain
  • Password
  • to the following location: <system folder>\drivers\ipv6.sys Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The information in the log file is presumably retrieved by another component.

    Analysis by Ray Roberts

    Last update 23 October 2010

     

    TOP