[Malware Review] Trojan.PWS.KATES.AG – Browsers’ Peeping Tom

The moment it reaches a new system, Trojan.PWS.KATES will create a copy of itself and move it to %userprofile%\Templates\memory.tmp. Once this initial task is completed, the original file is deleted.

Next, the malicious file creates the “Windows Server” subdirectory inside Local Settings\Application Data\ and drops a 3KB .dll file called pwfsdy.dll. The file access, creation and write times are replaced with those of the user32.dll file. In order for the .dll file to be automatically executed each time a program is run for the first time, a registry key is written underSYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\AppSecDll. This means that any programs the user installs will also launch this piece of malware.

Subsequently, the binary data loaded in Registry key HKEY_CURRENT_USER\SOFTWARE\lbtppwfsdy\lbtppwfsdywill be executed by the pwfsdy.dll file.

The call to action is triggered once the Trojan is loaded along with the Internet browser the computer owner uses to access web pages. Whether the browser is Firefox®, Opera® or Internet Explorer®, Trojan.PWS.KATES will hook functions that transfer data over the Internet connection, it will filter what seems to be search result pages delivered by search engines and it will randomly replace them with a url that takes the user to “exotic” destinations such as: fake online antivirus scanners or websites that contain pornographic content.

Apart from constantly monitoring the user’s choice of sites, Trojan.PWS.KATES also peeps at users’ passwords and at whatever other critical data they provide on the Internet, shipping it to the malware developer’s servers.

The technical information in this article is available courtesy of BitDefender virus researcher Voicu Hodrea.