MSIL/PSW.Agent.NUM [Threat Name] go to Threat

MSIL/PSW.Agent.NUM [Threat Variant Name]

Category trojan
Size 306688 B
Detection created Oct 24, 2013
Detection database version 8975
Aliases Trojan:MSIL/Limitless.A (Microsoft)
  PSW.MSIL.JJT.trojan (AVG)
  Win32:Dropper-MCA (Avast)
Short description

MSIL/PSW.Agent.NUM is a trojan that steals passwords and other sensitive information.

Installation

The trojan does not create any copies of itself.

Information stealing

The trojan collects various sensitive information.


The following information is collected:

  • computer name
  • memory status
  • operating system version
  • CPU information
  • external IP address of the network device
  • installed firewall application
  • installed antivirus software
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • e-mail accounts data
  • Bitcoin wallet contents
  • screenshots
  • FTP account information

The following programs are affected:

  • Bitcoin
  • CoreFTP
  • DynDNS
  • Epicbot
  • FileZilla
  • Google Chrome
  • Imvu
  • Internet Explorer
  • InternetDownloadManager
  • Minecraft
  • Mozilla Firefox
  • MSN Messenger
  • NimBuzz
  • NoIP
  • Opera
  • Pidgin
  • Rarebot
  • RSBot
  • RuneScape
  • Safari
  • SmartFTP
  • Spotify
  • Steam

The trojan is able to log keystrokes.


The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (1) addresses. The HTTP, FTP, SMTP protocol is used.

Other information

The trojan is usually a part of other malware with name MSIL/Spy.Agent.PI .


The trojan contains the program code of the following malware:

  • Win32/PSWTool.PassFox.D
  • Win32/PSWTool.MailPassView.E

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Windows\­System]
    • "DisableCMD" = "1"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoControlPanel" = 1
    • "NoFolderOptions" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
    • "DisableTaskMgr" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 1

The trojan may create the following files:

  • %temp%\­logff.txt
  • %temp%\­logmail.txt

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • delete cookies
  • send IM messages

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.