Win32/PSW.VB.NIS [Threat Name] go to Threat

Win32/PSW.VB.NIS [Threat Variant Name]

Category trojan
Size 314880 B
Detection created Nov 30, -0001
Signature database version 10020
Aliases Trojan-PSW.Win32.Chisburg.gxo (Kaspersky)
  Win32:Malware-gen (Avast)
Short description

Win32/PSW.VB.NIS is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %appdata%\­%variable1%\­%variable2%.exe
  • %temp%\­%variable1%\­%variable2%.exe

The trojan creates the following file:

  • %malwarefolder%\­%variable1%\­%variable2%.exe.lnk

The file is a shortcut to a malicious file.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "shell" = "%malwarefolder%\­%variable1%\­%variable2%.exe,explorer.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%malwarefolder%\­%variable1%\­%variable2%.exe.lnk"

A string with variable content is used instead of %variable1-3% .

Information stealing

Win32/PSW.VB.NIS is a trojan that steals sensitive information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services

The following programs are affected:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome
  • Safari
  • Opera
  • Yahoo! Messenger
  • Filezilla
  • Pidgin
  • Internet Download Manager
  • JDownloader
  • Trillian
  • Outlook Express
  • Microsoft Outlook
  • IncrediMail
  • Eudora
  • Netscape
  • Mozilla Thunderbird
  • Group Mail Free

The following services are affected:

  • Windows Live
  • Remote Access Phonebook
  • Windows Mail
  • Windows Live Mail
  • Yahoo! Mail
  • Gmail
  • MSN
  • Hotmail

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used.


Other information

The trojan launches the following processes:

  • %defaultbrowser%
  • %malwarefilepath%

The trojan creates and runs a new thread with its own code within these running processes.

Please enable Javascript to ensure correct displaying of this content and refresh this page.