My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Manda.A

LOW
LOW
63.488 bytes (packed size: 35347 bytes)
(PWSteal.Salira (NAV))

Symptoms

- File Winrarshell32.exe in the System folder (usually Windows\System32 and Windows\System)
- The registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrarshell points to the winrarshell32 file (thus the trojan gets executed at every system startup).

Removal instructions:

Let BitDefender delete the files it found infected.

Analyzed By

Mihai Chiriac, Mihai NeaguBitDefender Anti-Virus Researcher

Technical Description:

The trojan arrives as a .RAR archive with a malformed header. Some wrongly-configured archivers may execute the trojan on a simple archive view. The archive has a movie subtitle name, and it's 35347 bytes in size.
When executed, the trojan copies itself as "winrarshell32.exe" and registers itself to be executed at every system startup.
Then, it turns on several password caching facilities in Windows:
- Autocomplete: by adding "Use AutoComplete" = "yes" to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\AutoComplete
- Password suggesting: by adding "FormSuggest Passwords" = "yes" to the registry key
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main and "Use FormSuggest" = "yes" to the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main

The trojan logs every password in a file called "system31.bug", which it sends to the author, in a mail that looks like the following:

From: BUG_Mafia@as.ro
To: mandaril@as.ro
Subject:#2.02dev
X-Mailer: bugmafia v2.02dev
MIME-Version: 1.0
Content-Type: multipart/mixed;

The trojan also adds statistical system information in the email, and on NT based systems it fetches the NTLan password hashes and sends them too.
To send the mail, the trojan uses its own SMTP engine.