Home / malwarePDF  

PWS:Win32/Enterak.B


First posted on 08 September 2019.
Source: Microsoft

Aliases :

There are no other names known for PWS:Win32/Enterak.B.

Explanation :

Installation

This threat can be installed by other malware, such as TrojanDropper:WinNT/Enterok.A.

It makes the following changes to the registry as part of its installation process:

In subkey: HKLMSOFTWAREClassesCLSID{}InProcServer32
Sets value: (default)
With data: ""

In subkey: HKLMSOFTWAREClassesCLSID{}
Sets value: (default)
With data: "0"

It is installed as a Browser Helper Object (BHO) by making the following changes to the registry:

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{}
Sets value: (default)
With data: (value not set)

Payload

Steals online game and banking credentials

This threat can monitor, and attempt to steal, the credentials you type into the following websites:

Online game websites: aion.plaync.jp aran.kr.gameclub.com auth.siren24.com baram.nexon.com bns.plaync.com booknlife.com capogames.net cultureland.co.kr clubaudition.ndolfin.com df.nexon.com dk.halgame.com dragonnest.nexon.com elsword.nexon.com fifaonline.pmang.com fifaonline3.nexon.com fmaplestory.nexon.com hangame.com happymoney.co.kr heroes.nexon.com id.hangame.com itembay.com itemmania.com kr.battle.net lcs.mezzo.hangame.com login.nexon.com maplestory.nexon.com netmarble.net nexon.com plaync.co.kr pmang.com poker.hangame.com samwinfo.capogames.net teencash.co.kr tera.hangame.com yulgang.mgame.com

Banking websites: bank.cu.co.kr banking.nonghyup.com epostbank.go.kr ibk.co.kr kbstar.com keb.co.kr shinhan.com wooribank.com

Analysis by Carmen Liang

Last update 08 September 2019

 

TOP