Win32/PSW.Pebox [Threat Name] go to Threat

Win32/PSW.Pebox.AA [Threat Variant Name]

Category trojan
Size 37376 B
Detection created Jul 14, 2009
Detection database version 4243
Aliases Trojan-GameThief.Win32.OnLineGames.bnfw (Kaspersky)
  PWS:Win32/Nemqe.B (Microsoft)
  Generic.PWS.y!cbh (McAfee)
Short description

Win32/PSW.Pebox.AA is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following files:

  • %system%\­Lecomd.dll (28672 B)
  • %system%\­Kance.dll (4608 B)
  • %system%\­YuMen.dll (256 B)

The trojan creates copies of the following files (source, destination):

  • %system%\­lpk.dll, %system%\­myLink.dll
  • %system%\­Kance.dll, %system%\­lpk.dll

The following files are deleted:

  • %system%\­dllcache\­lpk.dll

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "ins" = "*Lecomd.dll,"
    • "SfcDisable" = %variable1%

A string with variable content is used instead of %variable1% .


Libraries with the following names are injected into all running processes:

  • %system%\­lpk.dll
  • %system%\­Lecomd.dll

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan gathers information related to the following processes:

  • QQLogin.exe
  • DNF.exe

The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • network adapter information

It can execute the following operations:

  • capture screenshots
  • send files to a remote computer

The trojan can send the information to a remote machine.


The trojan contains a list of (1) URLs.


The HTTP protocol is used.

Other information

The trojan executes the following command:

  • %system%\­sfc.exe /REVERT

The following programs are terminated:

  • QQLogin.exe
  • DNF.exe

The trojan may create copies of the following files (source, destination):

  • %system%\­rundll32.exe, %temp%\­%variable2%
  • %system%\­lpk.dll, %system%\­%variable3%.dat

A string with variable content is used instead of %variable2-3% .


The trojan may create the following files:

  • %system%\­Bans.dat
  • %system%\­dllcache\­Pansss.jpg

Please enable Javascript to ensure correct displaying of this content and refresh this page.