PWS:Win32/Prefsap.gen

Win32/Prefsap is a family of trojans that attempts to steal users’ FTP account details and sends this information to a remote server. It has been observed being downloaded by variants of the TrojanDownloader:Win32/Cbeplay family.

The malware’s dropper component is typically installed by another piece of malware. It has been observed being downloaded and executed by variants of the TrojanDownloader:Win32/Cbeplay family, such as TrojanDownloader:Win32/Cbeplay.E.

 

When executed, the dropper component (detected as TrojanDropper:Win32/Prefsap.gen or similar) checks for the existence of the following directories:

 

It drops a file named setupapi.dll to each of these directories should they be present. This file is detected as PWS:Win32/Prefsap.gen or similar.

 

This has the effect of executing the contents of the DLL whenever any of the web browsers installed in these directories are started.

Once launched by starting one of the above web browsers, the malware checks the registry for entries belonging to a number of popular FTP clients. If any are found, it examines the registry entries further to determine the location of the clients’ configuration files. It then attempts to extract and decode account information from these files, including each server location and port, and the username and password used to log into each of these servers.

 

If it is successful, it sends the account information to a remote server. At the time of publication, the server used was located at 66.199.231.178.

 

The malware stores information about which account details have already successfully been sent in a number of registry entries under the key:

 

HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust

 

FTP Clients targeted by the malware include the following:

SecureFX
WS_FTP
Core FTP
FileZilla
FTP Voyager
Total Commander
BulletProof FTP
GlobalSCAPE FTP / Cute FTP
CoffeeCup FTP
FTP Commander Pro
SmartFTP
LeapFTP
Far FTP