Win32/PSW.Eruwbi [Threat Name] go to Threat

Win32/PSW.Eruwbi.AA [Threat Variant Name]

Category trojan
Size 93184 B
Detection created Apr 15, 2010
Detection database version 5030
Aliases Trojan-PSW.Win32.Eruwbi.el (Kaspersky)
  Trojan:Win32/Startpage.RH (Microsoft)
  TSPY_ERUWBI.R (TrendMicro)
Short description

Win32/PSW.Eruwbi.AA is a trojan which tries to promote certain web sites. The file is run-time compressed using UPX .

Installation

The trojan does not create any copies of itself.


The following files are dropped:

  • %desktop%\­%filename1%.exe (13824 B)
  • %desktop%\­%filename2%.exe (9728 B)
  • %desktop%\­%filename3%.exe (12288 B)
  • %desktop%\­%filename4%.exe (8704 B)
  • %desktop%\­%filename5%.exe (15872 B)
  • %favorites%\­%filename6%.url (76 B)
  • %favorites%\­%filename7%.url (155 B)
  • %favorites%\­%filename8%.url (76 B)
  • %commonprograms%\­Internet Explorer.lnk (651 B)
  • %programs%\­Internet Explorer.lnk (651 B)
  • %commonstartmenu%\­Internet Explorer.lnk (651 B)
  • %startmenu%\­Internet Explorer.lnk (651 B)
  • %appdata%\­GM_REP_V4.ini
  • %appdata%\­Microsoft\­Internet Explorer\­Quick Launch\­Internet Explorer.lnk (651 B)

%filename1-8% represents a string written in the CN language.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­WinRAR]
    • "uid" = 0
    • "uname" = "system"
Other information

The trojan changes the home page of the following web browsers:

  • Internet Explorer
  • Mozilla Firefox
  • Opera
  • TencentTraveler
  • Maxthon
  • TheWorld
  • GreenBrowser
  • 360SE

The trojan opens the following URLs in Internet Explorer :

  • bg.go4321.com
  • life.74443.com
  • qm.go4321.com
  • t.go4321.com
  • www.1feel.net
  • www.44992.com
  • www.dh4321.com/?plus
  • www.meinvly.com

The user may be redirected to one of the following Internet web sites:

  • ivc.haodizhi.cc
  • jump.41119.cn
  • tc.go4321.com
  • www.38522.com/ivc/index.htm
  • www.78186.com
  • www.dh4321.com/?system

Please enable Javascript to ensure correct displaying of this content and refresh this page.