Win32/PSW.Stealer [Threat Name] go to Threat

Win32/PSW.Stealer.NAK [Threat Variant Name]

Category trojan
Size 535552 B
Detection created Dec 12, 2016
Signature database version 14592
Aliases Trojan:Win32/Dynamer!ac (Microsoft)
Short description

Win32/PSW.Stealer.NAK is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

The trojan is probably a part of other malware.


The trojan creates the following files:

  • %windir%\­system32\­%variable%.dll (218624 B, Win32/PSW.Stealer.NAK)

A string with variable content is used instead of %variable% .


The trojan may create the following files in the %localappdata%\%variable%\ folder:

  • avnl0l..
  • cvnl0l..
  • fvnl0l..
  • evnl0l..
  • hvnl0l..

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Lsa]
    • "Security Packages" = "%originalvalue%,%variable%.dll"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Classes\­%variable%]
    • "avnl0l"
    • "cvnl0l"
    • "evnl0l"
    • "fvnl0l"
    • "hvnl0l"
  • [HKEY_LOCAL_MACHINE\­Software\­Classes\­%variable%]
    • "avnl0l"
    • "cvnl0l"
    • "evnl0l"
    • "fvnl0l"
    • "hvnl0l"
Spreading on removable media

The trojan may create copies of itself on removable drives.


The trojan may create the following folders:

  • %removabledrive%\­360SANDBOX\­
  • %removabledrive%\­RECYCLED\­
  • %removabledrive%\­RECYCLED\­%variable1%\­

The folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The trojan copies itself to the following location:

  • %removabledrive%\­RECYCLED\­%variable1%\­%variable2%.dat

This copy of the trojan is then executed.


The trojan may create the following files:

  • %removabledrive%\­%variable3%.lnk

The file is a shortcut to a malicious file.


A string with variable content is used instead of %variable1-3% .

Information stealing

The trojan collects various information related to the operating system.


The following information is collected:

  • operating system version
  • login name
  • login password

The trojan can send the information to a remote machine.

Other information

The trojan may create the following files:

  • %temp%\­%variable4%
  • %localappdata%\­%variable5%\­%variable6%
  • C:\­nNetLib.log

The trojan creates and runs a new thread with its own program code within the following processes:

  • %temp%\­%variable4%
  • %localappdata%\­%variable5%\­%variable6%
  • %system%\­rundll32.exe
  • %system%\­svchost.exe
  • %windir%\­explorer.exe
  • %windir%\­system32\­svchost.exe
  • %windir%\­syswow64\­explorer.exe
  • %windir%\­syswow64\­svchost.exe

A string with variable content is used instead of %variable4-6% .


Win32/PSW.Stealer.NAK attempts to gain administrative privileges on the system.


The trojan hooks the following Windows APIs:

  • LsaApLogonUserEx2 (msv1_0.dll)
  • SpLsaModeInitialize (msv1_0.dll)
  • SpUserModeInitialize (msv1_0.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.