Home / malware

PDF

PWS:Win32/Magania

First posted on 04 May 2010.
Source: SecurityHome

Aliases :

There are no other names known for PWS:Win32/Magania.

Explanation :

PWS:Win32/Magania is a password stealing trojan that injects code into the "explorer.exe" process. The injected code varies according to the sample.
Top

PWS:Win32/Magania is a password stealing trojan that injects code into the "explorer.exe" process. The injected code varies according to the sample. InstallationWin32/Magania usually arrives in the computer with a random file name. It is executed from its original location, usually in the Windows system folder. It modifies the system registry so that it automatically runs every time Windows starts. In the wild, the following change has been observed: Adds value: "SystemMgr"
With data: "<malware file name>"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or Adds value: "Userinit"
With data: "<system folder>\userinit.exe,<malware file name>",
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Payload Injects code into processesWin32/Magania injects code into the "explorer.exe" process. Depending on the variant, this code may be used to steal password information or download and execute additional files.

Analysis by Matt McCormack

Last update 04 May 2010

 

TOP