WEEKLY REVIEW

[Malware Review] Trojan.PWS.KATES.AG

Internet search habits, passwords or login credentials

The moment it reaches a new system, Trojan.PWS.KATES will create a copy of itself and move it to %userprofile%Templatesmemory.tmp. Once this initial task is completed, the original file is deleted.

Next, the malicious file creates the “Windows Server” subdirectory inside Local SettingsApplication Data and drops a 3KB .dll file called pwfsdy.dll. The file access, creation and write times are replaced with those of the user32.dll file. In order for the .dll file to be automatically executed each time a program is run for the first time, a registry key is written underSYSTEMCurrentControlSetControlSession ManagerAppCertDllsAppSecDll. This means that any programs the user installs will also launch this piece of malware.

Subsequently, the binary data loaded in Registry key HKEY_CURRENT_USERSOFTWARElbtppwfsdylbtppwfsdywill be executed by the pwfsdy.dll file.

The call to action is triggered once the Trojan is loaded along with the Internet browser the computer owner uses to access web pages. Whether the browser is Firefox®, Opera® or Internet Explorer®, Trojan.PWS.KATES will hook functions that transfer data over the Internet connection, it will filter what seems to be search result pages delivered by search engines and it will randomly replace them with a url that takes the user to “exotic” destinations such as: fake online antivirus scanners or websites that contain pornographic content.

Apart from constantly monitoring the user’s choice of sites, Trojan.PWS.KATES also peeps at users’ passwords and at whatever other critical data they provide on the Internet, shipping it to the malware developer’s servers.

The technical information in this article is available courtesy of BitDefender virus researcher Voicu Hodrea.

About the author

Loredana BOTEZATU

A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.