Home / malware

PDF

PWS:Win32/Nemqe.B

First posted on 16 February 2010.
Source: SecurityHome

Aliases :

PWS:Win32/Nemqe.B is also known as Trojan.PWS.Nemqe.SS (VirusBuster), TR/PSW.Nemqe.B.7 (Avira), Win32/PSW.Pebox.CA (ESET), PWS.y!bur (McAfee), TROJ_NEMQE.SMN (Trend Micro).

Explanation :

PWS:Win32/Nemqe.B is a detection for the DLL component of a game password stealer.
Top

PWS:Win32/Nemqe.B is a detection for the DLL component of a game password stealer. InstallationPWS:Win32/Nemqe.B usually arrives as a component file of other malware such as other PWS:Win32/Nemqe variants or PWS:Win32/Pebox.A. It is installed in the Windows Systems folder with a random file name. Some of the file names it has been known to use are the following:

Kance.dll

yxjansf.dll

lpk.dll

Payload Loads other filesPWS:Win32/Nemqe.B queries for the data of the following registry entry: Entry: "Ins"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon For example:
Entry: "Ins"
With data: "nativeproc.dll,"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon It then loads the DLL file specified in the data field in the registry. The DLL file associated with this registry entry is usually a member of the PWS:Win32/Nemqe or PWS:Win32/Pebox family. Both families are known for stealing information related to online games such as user names, passwords, levels, gold, or money.

Analysis by Elda Dimakiling

Last update 16 February 2010

 

TOP