Tuesday, September 29, 2015

VawTrak Trojan

Today I was diagnosing why a clients Internet was running so slow.  After tracing the traffic I found it was one Windows 7 PC which was infected with a virus.  The following processes were running on the machine all communicating with various Internet IP addresses.
  • conhost.exe
  • cmd.exe
  • ctfmon.exe
  • dllhost.exe
  • msiexec.exe
  • notepad.exe
  • presentationhost.exe
Note: Use Windows Resource Monitor and navigate to the Network tab to find out which processes are communicating with Internet resources.

When killing one of these processes, they would simply respawn.  The computer was also running very slow and sluggish with web browsers and windows explorer constantly hanging and freezing.
 
These symptoms are related to Trojan.VawTrak which the computer was infected with.  Trojan.VawTrak copies it self into C:\ProgramData and spawns these processes with its malicious code.
 
Trojan.VawTrak can be cleaned up with Malware Bytes or manually.
 
Trojan.VawTrak is a virus you definitely want to get rid of as it is designed to steal online banking information.  Some of the common tasks it performs are:
  • Disables antivirus protection.
  • Communicates with remote C&C servers – executes commands from a remote server, sends stolen information, downloads new versions of itself and web-injection frameworks.
  • Hooks standard API functions, injects itself into new processes.
  • Steals passwords, digital certificates, browser history, and cookies.
  • Logs keystrokes.
  • Takes screenshots of desktop or particular windows with highlighted mouse clicks.
  • Captures user actions on desktop in an AVI video.
  • Opens a VNC11 (Virtual Network Computing) channel for a remote control of the infected machine.
  • Creates a SOCKS12 proxy server for communication through the victim's computer.
  • Changes or deletes browser settings (e.g. disable Firefox SPDY13) and history. Vawtrak supports three major browsers to operate in – Internet Explorer, Firefox, and Chrome. It also supports password stealing from the other browsers.
  • Modifies browser communication with a web server.
  • Stores internal settings into encrypted registry keys.
Due to the severity of this Trojan and the rate it is spreading, AVG has done a detailed writeup which is available here:

http://now.avg.com/wp-content/uploads/2015/03/avg_technologies_vawtrak_banking_trojan_report.pdf

2 comments:

  1. I am Hwa Jurong, a Private Money Lender do you need a loan to start up business or to pay your bills and a corporate financial for real estate and any kinds of business financing. I also offer Loans to individuals,Firms and corporate bodies at 2% interest rate. I give out loan to serious minded people that are interested of loan if interested contact this email: hwajurong382@yahoo.com or hwajurong12@gmail.com

    ReplyDelete

  2. windows 8 consumer preview genuine product key free download , windows 10 serial keys product key torrent , norton internet security 2012 wholesale , office project 2013 keys , windows 10 product key sale , product key for windows 7 ultimate 32 bit free download , windows small business server 2011 standard key product , key for windows multipoint server , s5ttbH

    windows 10 pro key

    office 2013 pro key sale

    cheap visual studio key buy

    ReplyDelete