Win32/PSW.Small.NAF | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Installation
When executed, the trojan copies itself in the %windir% folder using the following name:

9129837.exe

The following file is dropped in the same folder:

new_drv.sys (7680 B)

The trojan registers itself as a system service using the following name:

!!!!

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ttool" = "%windir%\9129837.exe"

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEW_DRV\0000\Control] "NewlyCreated" = 0 "ActiveService" = "new_drv" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEW_DRV\0000] "Service" = "new_drv" "Legacy" = 1 "ConfigFlags" = 0 "Class" = "LegacyDriver" "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" "DeviceDesc" = "!!!!" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEW_DRV] "NextInstance" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum] "0" = "Root\LEGACY_NEW_DRV\0000" "Count" = 1 "NextInstance" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv] "Type" = 1 "Start" = 3 "ErrorControl" = 0 "ImagePath" = "%windir%\new_drv.sys" "DisplayName" = "!!!!" [HKEY_CURRENT_USER\Software\Microsoft\InetData] "k1" = %variable1% "k2" = %variable2% "version" = 220 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess] "Start" = 4 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc] "Start" = 4

%variable1%, %variable2% stand for a random text.

Information stealing
Win32/PSW.Small.NAF is a trojan that steals passwords and other sensitive information. The trojan gathers information related to the following services:

FTP POP3 IMAP ICQ

The trojan can send the information to a remote machine. The trojan contains a URL address. The HTTP protocol is used.

Other information
The trojan alters the behavior of the following processes:

ALG (Application Layer Gateway Service) SharedAccess (Windows Firewall/Internet Connection Sharing (ICS)) wscsvc (Security Center)

The trojan may create the following files:

%system%\abcdefg.bat

The trojan may delete files stored in the following folders:

%userprofile%\cookies\

The trojan can download and execute a file from the Internet.