PWSteal.Flecsip is a password stealing Trojan that logs passwords and other confidential data entered by the user accessing Web pages through Internet Explorer. The Trojan saves a log file with stolen data and attempts to send it to a remote attacker.
When PWSteal.Flecsip is executed, it performs the following actions:
1. Copies itself as %System%\msserv.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Adds the value:
"msserv" = "%System%\msserv.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
3. Monitors active Internet Explorer browser windows. When the user visits a Web site the Trojan logs page data and user text entered and saves it to the following log file:
%System%\servms.dll
4. Attempts to send the stolen information to a predetermined email account on the yandex.ru domain.
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.flecsip.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5. In the right pane, delete the value:
"msserv" = "%System%\msserv.exe"
6. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
