PWSteal.Drorar

PWSteal.Drorar is a Trojan horse that attempts to steal system information and log keystrokes. It sends the gathered information to predetermined URLs.

When PWSteal.Drorar is executed, it performs the following actions:

1. Creates a Microsoft Word document named mssvr.doc and opens it.

2. Copies itself as following:

* %ProgramFiles%\Common Files\system\ado\mssrv.exe
* %ProgramFiles%\Common Files\system\svchost.exe

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

3. Creates the following service so that it executes every time Windows starts:

Name: MSDCSRV32
ImagePath: %Program Files%\Common Files\system\ado\mssrv.exe
DisplayName: Network Distributed Transaction Coordinator for Workstation

4. Creates the following files:

* %Windir%\WindowsUpdate.dat
* %Windir%\sclureg32a.dll
* %Windir%\winsock_32a.dll

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

5. Adds the value:

"PathName" = "%Windir%\winsock_32a.dll"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
FCMAIL_TCPIPDOG

6. Logs key strokes and gathers system information from the compromised computer.

7. Writes the gathered information to the following files:

* %Windir%\Setup32set.ini
* %Windir%\SetupRe.dat

8. Sends the gathered information to the following URLs as HTTP POST data:

* [http://]www.stone122.com/[REMOVED]/DoUp.php
* [http://]www2.stone122.com/[REMOVED]/DoUp.php
* [http://]www.stone199.com/[REMOVED]/DoUp.php

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.drorar.html

To delete the value from the registry
1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
FCMAIL_TCPIPDOG

5. In the right pane, delete the value:

"PathName" = "%Windir%\winsock_32a.dll"

6. Exit the Registry Editor.