Win32/PSW.Small.NAF [Threat Name] go to Threat

Win32/PSW.Small.NAF [Threat Variant Name]

Category trojan
Size 27136 B
Detection created Nov 24, 2006
Detection database version 1882
Aliases Trojan-PSW.Win32.Papras.dc (Kaspersky)
  Generic.f.trojan (McAfee)
  Trojan:Win32/Meredrop (Microsoft)
Short description

Win32/PSW.Small.NAF is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the %windir% folder using the following name:

  • 9129837.exe

The following file is dropped in the same folder:

  • new_drv.sys (7680 B)

The trojan registers itself as a system service using the following name:

  • !!!!

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ttool" = "%windir%\­9129837.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NEW_DRV\­0000\­Control]
    • "NewlyCreated" = 0
    • "ActiveService" = "new_drv"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NEW_DRV\­0000]
    • "Service" = "new_drv"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "!!!!"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NEW_DRV]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­new_drv\­Enum]
    • "0" = "Root\­LEGACY_NEW_DRV\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­new_drv]
    • "Type" = 1
    • "Start" = 3
    • "ErrorControl" = 0
    • "ImagePath" = "%windir%\­new_drv.sys"
    • "DisplayName" = "!!!!"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­InetData]
    • "k1" = %variable1%
    • "k2" = %variable2%
    • "version" = 220
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­SharedAccess]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­wscsvc]
    • "Start" = 4

%variable1%, %variable2% represent random text.

Information stealing

Win32/PSW.Small.NAF is a trojan that steals passwords and other sensitive information.


The trojan gathers information related to the following services:

  • FTP
  • POP3
  • IMAP
  • ICQ

The trojan can send the information to a remote machine.


The trojan contains an URL address.


The HTTP protocol is used.

Other information

The trojan alters the behavior of the following processes:

  • ALG (Application Layer Gateway Service)
  • SharedAccess (Windows Firewall/Internet Connection Sharing (ICS))
  • wscsvc (Security Center)

The trojan may create the following files:

  • %system%\­abcdefg.bat

The trojan may delete files stored in the following folders:

  • %userprofile%\­cookies\­

The trojan can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.