Home / malware Trojan:MSIL/Parpwuts.B
First posted on 08 January 2013.
Source: MicrosoftAliases :
Trojan:MSIL/Parpwuts.B is also known as Trojan/Win32.Windef (AhnLab), Trojan-Dropper.Win32.Dorifel.wqp (Kaspersky).
Explanation :
In the wild, we have observed Trojan:MSIL/Parpwuts.B masquerading as a keyboard driver with the file name "kbdiumdm.exe".
You may be lured into downloading and running the trojan, thinking it is a legitimate driver or update for a keyboard.
Installation
When run, Trojan:MSIL/Parpwuts.B drops itself into the folder "%HOMEPATH%\Administrator\drivers" folder, using one of the following file names:
- explorer.exe
- iexplorer.exe
Note: %HOMEPATH% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Home folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\". For Windows Vista, 7, and 8, the default location is "C:\Users\".
Trojan:MSIL/Parpwuts.B modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Explorer"
With data: "%HOMEPATH%\Administrator\drivers\<malware file>", for example "explorer.exe"
We have also observed recent versions of this trojan creating and dropping copies of itself in the "%HOMEPATH%\Administrator" folder.
These newer versions modify the following registry entry to ensure their copies run at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random value>", for example "M0UxOTBDNkYQwErTaSdFg"
With data: "%HOMEPATH%\Administrator\<malware file>"
Payload
Trojan:MSIL/Parpwuts.B opens your Internet browser and displays pages from certain advertising or pornographic websites.
Analysis by Zarestel Ferrer
Last update 08 January 2013