Home / malware PWS:Win32/Bividon.A
First posted on 03 December 2009.
Source: SecurityHomeAliases :
PWS:Win32/Bividon.A is also known as VirTool:Win32/Delfsnif.gen (Microsoft), Proxy.TZO (AVG), Trojan.Proxy.Delf.DH (BitDefender), Win32/Talpalk.J (CA), Win32/TrojanProxy.Delf.DB (ESET), Trojan-Proxy.Win32.Delf.db (Kaspersky), PWS-Mmorpg.gen (McAfee), W32/Malware.ATRA (Norman), Trj/Maha.I (Panda), Troj/Delf-EYD (Sophos), TROJ_DELF.JPH (Trend Micro), Trojan.IEInject.W (VirusBuster), Trojan:Win32/Killav.EA (other).
Explanation :
PWS:Win32/Bividon.A installs trojan components that capture logon credentials, user keystrokes and mouse operations, which are then sent to a remote server. The trojan components also attempt to stop security-related services, download configuration data files and update from a remote server. They may also report their presence on the system to the remote server.
Top
PWS:Win32/Bividon.A installs trojan components that capture logon credentials, user keystrokes and mouse operations, which are then sent to a remote server. The trojan components also attempt to stop security-related services, download configuration data files and update from a remote server. They may also report their presence on the system to the remote server. InstallationPWS:Win32/Bividon.A may be installed by other malware or when a user inadvertently downloads and executes it via a malicious hyperlink. In the wild, this trojan may be distributed as a hyperlink within spammed e-mail messages sometimes posing as e-cards (electronic greeting cards). In some instances, the link appears as the following: http://<domain and path>/gusanito.exe The domain and path vary. When run, the trojan may drop components as the following: %APPDATA%\gusanito.exe - PWS:Win32/Bividon.A %APPDATA%\<file name 1.dll> (e.g. "klg1.dll") - PWS:Win32/Bividon.A.dll %APPDATA%\<file name 2.dll> (e.g. "xoong3.dll") - Trojan:Win32/Killav.EA The registry is modified to execute the dropped trojan copy at each Windows start. Adds value: "keylogger"With data: "%APPDATA%\gusanito.exe"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "keylogger"With data: "%APPDATA%\gusanito.exe"To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run The dropped executable (e.g. "gusanito.exe") is then executed. Payload Steals user credentialsPWS:Win32/Bividon.A launches an instance of the Web browser Internet Explorer (IE), and loads the payload component (e.g. %APPDATA%\klg1.dll) into the IE running process. PWS:Win32/Bividon.A.dll monitors the windows opened. If the window's title is one of following strings, it closes the current window and starts a new instance of IE, which redirects to specific Web sites:Bienvenido a Bancanet Empresarial Welcome to Bancanet Empresarial HSBC MTxico * Conexi=n para Negocios Bancomer Empresarial Internet Bienvenido a Bancanet The strings above are likely related to online banking. PWS:Win32/Bividon.A.dll monitors user key strokes, mouse operations and reads input text from certain web pages (e.g. Hotmail e-mail messages) and logs them into a local file. In the wild, this trojan was observed to create the following log data file: %APPDATA%>\ccxeeee.html Sends and receives data to and from a remote serverPWS:Win32/Bividon.A launches an instance of Notepad, and loads the helper component (e.g. "%APPDATA%\xoong3.dll") into the running "Notepad.exe" process. PWS:Win32/Bividon.A.dll retrieves configuration data from a remote server (for example "cmxpet.com"). This trojan may report its installation to a specified remote server, along with key strokes, mouse operations and text logs on the infected system. Disables security-related softwarePWS:Win32/Bividon.A.dll attempts to disable security software by restoring the system API hooks installed by the security software. Additional InformationPWS:Win32/Bividon.A monitors the presence of the processes where its payload components are injected. Once these processes are terminated, it reloads them. PWS:Win32/Bividon.A may modify the registry by creating a "marker" for its own usage, as in the following example:
Add value: "first"
With data: "0" or "1"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion
Analysis by Shawn Wang & Patrick NolanLast update 03 December 2009
