Short description
Win32/PSW.Pebox.AA is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine. The file is run-time compressed using UPX.
Installation
When executed, the trojan creates the following files:
- %system%\Lecomd.dll (28672 B)
- %system%\Kance.dll (4608 B)
- %system%\YuMen.dll (256 B)
The trojan creates copies of the following files (source, destination):
- %system%\lpk.dll, %system%\myLink.dll
- %system%\Kance.dll, %system%\lpk.dll
The following files are deleted:
- %system%\dllcache\lpk.dll
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon]
"ins" = "*Lecomd.dll,"
"SfcDisable" = %variable1%
A string with variable content is used instead of %variable1%.
Libraries with the following names are injected into all running processes:
- %system%\lpk.dll
- %system%\Lecomd.dll
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan gathers information related to the following processes:
The following information is collected:
- informácie sieťového adaptéra
It can execute the following operations:
- capture screenshots
- send files to a remote computer
The trojan can send the information to a remote machine.
The trojan contains a list of (1) URLs.
The HTTP protocol is used.
Other information
The trojan executes the following command:
The following programs are terminated:
The trojan may create copies of the following files (source, destination):
- %system%\rundll32.exe, %temp%\%variable2%
- %system%\lpk.dll, %system%\%variable3%.dat
A string with variable content is used instead of %variable2-3%.
The trojan may create the following files:
- %system%\Bans.dat
- %system%\dllcache\Pansss.jpg
