Home / malwarePDF  

Trojan:MSIL/Parpwuts.B


First posted on 08 January 2013.
Source: Microsoft

Aliases :

Trojan:MSIL/Parpwuts.B is also known as Trojan/Win32.Windef (AhnLab), Trojan-Dropper.Win32.Dorifel.wqp (Kaspersky).

Explanation :



In the wild, we have observed Trojan:MSIL/Parpwuts.B masquerading as a keyboard driver with the file name "kbdiumdm.exe".

You may be lured into downloading and running the trojan, thinking it is a legitimate driver or update for a keyboard.

Installation

When run, Trojan:MSIL/Parpwuts.B drops itself into the folder "%HOMEPATH%\Administrator\drivers" folder, using one of the following file names:

  • explorer.exe
  • iexplorer.exe


Note: %HOMEPATH% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Home folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\". For Windows Vista, 7, and 8, the default location is "C:\Users\".

Trojan:MSIL/Parpwuts.B modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Explorer"
With data: "%HOMEPATH%\Administrator\drivers\<malware file>", for example "explorer.exe"

We have also observed recent versions of this trojan creating and dropping copies of itself in the "%HOMEPATH%\Administrator" folder.

These newer versions modify the following registry entry to ensure their copies run at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random value>", for example "M0UxOTBDNkYQwErTaSdFg"
With data: "%HOMEPATH%\Administrator\<malware file>"

Payload

Trojan:MSIL/Parpwuts.B opens your Internet browser and displays pages from certain advertising or pornographic websites.



Analysis by Zarestel Ferrer

Last update 08 January 2013

 

TOP