Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Trojan.ps Analysis Report
Threat Submitted On: 9/22/2008 7:36:44 PM
Threat Analysed On: 9/23/2008 12:36:44 AM
Threat Updated On: 1/28/2011 1:45:08 PM
Type : Trojan
Symptoms of ps
  • Performs illicit activities under the disguise of a useful program.
  • Download malicious code and programs such as keyloggers.
  • It is capable of fetching user’s personal and confidential information.
Information
Alias : trojan-aol.win16.ps.oh
Md5 Hash : [3b880c3e22fb0fb22f9fd2f7952ee7c9]
File Size : (425984 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: config.exe
Path : %systemdrive%
Md5Hash :ae4dd6c9a4ce0da57ff84429e37b36db ( 139264 bytes)
File: funprog.exe
Path : %windir%
Md5Hash :3b880c3e22fb0fb22f9fd2f7952ee7c9 ( 425984 bytes)
File: pws_cheeky.exe
Path : %windir%\system
Md5Hash :3b880c3e22fb0fb22f9fd2f7952ee7c9 ( 425984 bytes)
File: winpfc.exe
Path : %windir%\system
Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
6a5060ba42cc57c4f8b0115d81530847 ( 397314 bytes)
9aed5d5f66d99ff67ac482b3410d2168 ( 397312 bytes)
d45774ef7f69eba923083f149bda552a ( 397312 bytes)
File: win32sys4.exe
Path : %windir%
Md5Hash :8d6d20a8c769b18cc0bfd05b32051ac2 ( 1836544 bytes)
File: [randomname].exe
Path : %workingdir%
Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
013cf7791ea73f284a1946e0190a6bec ( 954368 bytes)
05689ef07a61ebb436f0693f2930ed0a ( 379687 bytes)
05975c54f9b59438d796a670b645d0f4 ( 955904 bytes)
0615292d0ddff094a08dd87d7c732d3a ( 178178 bytes)
088f1e9f493e343e6213f45de5ac5776 ( 598016 bytes)
08d03d3e2c1d598fee9c21c2ae5b5965 ( 92958 bytes)
0915f3a6f49315d9f32d8a41affaa8aa ( 720659 bytes)
0b2622f69f8e7aea029d23240ed7acad ( 89637 bytes)
0bacea1b620c3aab9e35de7821aef3c0 ( 123904 bytes)
0c0b1d237a4f5464870a75bb5c03fcc5 ( 84264 bytes)
0d649d6b5dbf305f27afa1558d922e3a ( 210432 bytes)
0db4a7b4998deeb93767b0e57225ed50 ( 59904 bytes)
0efed2f0b8e7f1fa6380304b2785967d ( 144180 bytes)
0f09084e9f3b3ade81845ca8c5d79f0f ( 301380 bytes)
0fa43a78e4967833d9885af1ca1c9990 ( 340493 bytes)
105d78a4b5dc075033712b6d46106793 ( 92500 bytes)
106b60ac184d0ee0f80459e04ef9d2de ( 57344 bytes)
10814b13d2f8de365974f0ef0d9d9d4c ( 100871 bytes)
110eb78961ab668c7290493bbde987a1 ( 24643 bytes)
11517d3fa3b99a950a7c5811dd563604 ( 120334 bytes)
15be1e218b6f66805e2f3be2ddbffeb9 ( 30245 bytes)
17170c7d3df4a5fbcf70e8e1a4756778 ( 568357 bytes)
17db87fb720724102688bd744139b452 ( 131072 bytes)
19c0ccc920a3a95dd9116b87c6fee155 ( 139264 bytes)
215fadd42d7cc0ef9f6398bcfcdb8c94 ( 885480 bytes)
21a3b0825a72313a85f115c16a938a5a ( 91677 bytes)
22cc5a200edd5f875c17ced60cdcd556 ( 96281 bytes)
2329f20fb965bd11d16ac317b34769e0 ( 80142 bytes)
25222021bb5b6549473cf953df29a96e ( 239644 bytes)
262c6d407c0158810cfc52aac5015453 ( 26112 bytes)
28a8460defc3ce6248c8f1932aa466a5 ( 50979 bytes)
2945581e9d510e66b0942401882b01f9 ( 25606 bytes)
295b888a1afd6d5bad5b73641bf2aef0 ( 28956 bytes)
2df044bfd38beb1be216e4ac332fdded ( 583453 bytes)
2fed98a50a41e8a7ae423a0c411b191e ( 57344 bytes)
300782d01551308258ab27aac4c2fbcf ( 596480 bytes)
31ed509eeb33c18a971dd2730971a233 ( 175143 bytes)
32471f8515e0af508c81a1179fff47ab ( 498694 bytes)
32964485d35255831e5eb0fb0ef007ca ( 635712 bytes)
39eacbae9ed58f8e6ee59434a0e76730 ( 449992 bytes)
3b58bc809bf8057df7fcff318f457cec ( 867598 bytes)
3b880c3e22fb0fb22f9fd2f7952ee7c9 ( 425984 bytes)
3cbef2f303fce6c93e382b2c6e67f170 ( 210432 bytes)
3f6b3f575cc8dbbfb9c098e7b781045d ( 568357 bytes)
40ee56845519733c3904d87e7e1f0560 ( 65536 bytes)
42869beb4b555c10c6d165c0385d168a ( 95715 bytes)
435590275c21354c489a4361508aaaa0 ( 88244 bytes)
44e45605cd902156f8d01371405d09a6 ( 91138 bytes)
461044b25a19c4bc4ee4a59644a3e49f ( 106519 bytes)
46d24da3bea45303e9170be9eae47c77 ( 250112 bytes)
4e56a563a7146bfcd5c351720b6eba05 ( 1277952 bytes)
4fdf5c8c5a954d90ad396575995cc118 ( 28160 bytes)
514da08b87291b863f988ba63ae09554 ( 30245 bytes)
525bb99f869d89bbfcb24ce71404200e ( 62976 bytes)
5502ec7856d24aa8e5c88c03b1ebcd9d ( 568604 bytes)
56d596549e1df95ccbaad70fa3a18ece ( 26112 bytes)
570ca1e549dbe01a8ff9db81bbc333ce ( 139264 bytes)
578fa13f26cc3fcae0f1f9a301b2a21b ( 38445 bytes)
57f20f52d31b966f7ebcd34b435cb678 ( 79638 bytes)
580f3cd587756f9cf892ae6c28a2ba1a ( 178176 bytes)
5a4633b6bc8bce047bcf6ec6a
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
AOL5PWSUSA = "%SYSTEMDRIVE%\CONFIG.EXE"
|__ Value Added :
pws_cheeky.exe = "%windir%\system\pws_cheeky.exe"
|__ Value Added :
system = "system.exe"
Creates the following child process(s) on execution:

%windir%\system\pws_cheeky.exe

Copies the Following Files to Given Location :-

Copies :%workingdir%\[random name].exe

To : %windir%\funprog.exe

Copies :%workingdir%\[random name].exe

To : %windir%\system\pws_cheeky.exe

NOTE:

1. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'
2. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
3. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.

Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.