Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/PSW.Pebox.AA

Aliases:Trojan-GameThief.Win32.OnLineGames.bnfw (Kaspersky), PWS:Win32/Nemqe.B (Microsoft), Generic PWS.y!cbh (McAfee) 
Type of infiltration:Trojan  
Size:37376 B 
Affected platforms:Microsoft Windows 
Signature database version:4403 (20090907) 

Short description

Win32/PSW.Pebox.AA is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine. The file is run-time compressed using UPX.

Installation

When executed, the trojan creates the following files:
  • %system%Lecomd.dll (28672 B)
  • %system%Kance.dll (4608 B)
  • %system%YuMen.dll (256 B)
The trojan creates copies of the following files (source, destination):
  • %system%lpk.dll, %system%myLink.dll
  • %system%Kance.dll, %system%lpk.dll
The following files are deleted:
  • %system%dllcachelpk.dll
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Winlogon]
    "ins" = "*Lecomd.dll,"
    "SfcDisable" = %variable1%
A string with variable content is used instead of %variable1%.

Libraries with the following names are injected into all running processes:
  • %system%lpk.dll
  • %system%Lecomd.dll
After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan gathers information related to the following processes:
  • QQLogin.exe
  • DNF.exe
The following information is collected:
  • informácie sieťového adaptéra
It can execute the following operations:
  • capture screenshots
  • send files to a remote computer
The trojan can send the information to a remote machine.

The trojan contains a list of (1) URLs.

The HTTP protocol is used.

Other information

The trojan executes the following command:
  • %system%sfc.exe /REVERT
The following programs are terminated:
  • QQLogin.exe
  • DNF.exe
The trojan may create copies of the following files (source, destination):
  • %system%rundll32.exe, %temp%%variable2%
  • %system%lpk.dll, %system%%variable3%.dat
A string with variable content is used instead of %variable2-3%.

The trojan may create the following files:
  • %system%Bans.dat
  • %system%dllcachePansss.jpg