Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.PWS.Stealer.1630

Added to the Dr.Web virus database: 2012-12-04

Virus description added:

Плагин Win32.Sector для похищения информации из различных программ.

Характерные строки:


Software\Microsoft\Windows\CurrentVersion\Run
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Software\Microsoft\Windows\CurrentVersion\Internet Settings
IpSec
%s:*:Enabled:ipsec
SYSTEM.INI
&%x=%d
?%x=%d
GdiPlus.dll
http
angel
GlobalUserOffline
&v=6
InternetOpenA
InternetReadFile
InternetOpenUrlA
InternetCloseHandle
WININET.DLL
0145789
w%x.exe
dnsapi.dll
DnsQuery_A
DnsRecordListFree
ampuku
%s%x
boot
shell
Explorer.exe 
KERNEL32
username
host
%x%x.tmp
DPAPI:
ftp://
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
globalscape
Volatile Environment
APPDATA
Software\Ghisler\Windows Commander
Software\Ghisler\Total Commander
FtpIniName
InstallDir
empty
login
index
main
default
.php
.asp
.htm
%s=%x
public_html
htdocs
httpdocs
httpsdocs
docs
html
site
wwwroot
%s:%s@%s [%s]
anonymous
sm.dat
tree.dat
smdata.dat
<Password>
.dat
SiteManagerPath
InstallLocation
cuteftp
globalscape
Software\GlobalSCAPE
pstorec.dll
PStoreCreateInstance
HostName
User
Password
crypt32.dll
CryptUnprotectData
Connections
password
SOFTWARE\Far\Plugins\FTP\Hosts
http://microupdate14.info/iframe.txt
http://kukutrustnet888.info/iframe.txt
.xml
document.write('<iframe src=" width=1 height=1></iframe>')
smartftp
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
ftplist.txt
User=
Server=
Password=
Port=
commander
sitemanager.xml
filezilla
filezilla.xml
<Host>
<User>
<Pass>
<Port>
wcx_ftp.ini
netsh firewall set opmode disable
<script>eval(unescape('
ieuser
'));</script>
SOFTWARE\Far2\Plugins\FTP\Hosts
flashfxp
sites.dat
quick.dat
history.dat
SOFTWARE\FlashFXP\3
Install Path
InstallerDathPath
port
CryptAcquireContextA
CryptDeriveKey
CryptDecrypt
CryptDestroyKey
CryptReleaseContext
advapi32.dll
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptSetKeyParam
CryptImportKey
ipswitch
.ini
Software\FTPWare\COREFTP\Sites
BPSitelist
bulletproof
SitesDir
Software\
classicftp
fling
_FtpPassword
NCH Software\
_Password
ftp explorer
BD-07021973+19101972-DB
bitkinex.ds
addrbk.dat
Software\TurboFTP
installpath
ftpsite.xml
SET DST_ADDR 
SET USER 
SET PASS 
### Node definition:
host="
user="
pass="
<site
host host
</site>
FtpUserName
FtpServer
server
leap
turbo
ftp control
frigate
hostinfo
ExpanDrive
profiles
WinSCP
me@mysite.com
ftp.oxc
wand.dat
.prf
InstallLocation
DisplayIcon
Martin Prikryl
CryptGetHashParam
<Login>
session
</ftpx
pass
</server
yA36zA48dEhfrvghGRg57h5UlDv3
hdfzpysvpzimorhk
SOFTWARE\ksli
document.write('<iframe src=" width=1 height=1></iframe>')
full address:s:
username:s:
password 51:b:
.rdp
Microsoft_WinInet_
abe2869f-9b47-4cd9-a358-c22904dba7f7
if (!defined ("determinator")){eval(base64_decode(
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_CheckUserPassword
PK11_Authenticate
PK11SDR_Decrypt
nss3.dll
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
mozilla
signons.sqlite
Login Data
SQLite format 3
ftp.globalscape.com
ftp.smartftp.com
nssdcftp.gsfc.nasa.gov
ftp.sunet.se
ftp.simtel.net
ftp.microsoft.com
ftp.novell.com
ftp.netscape.com
ftp.apple.com
ftp.redhat.com
123456
123456789
qwerty
111111
1234567
666666
12345678
7777777
123321
654321
1234567890
123123
555555
vkontakte
gfhjkm
159753
777777
TempPassWord
qazwsx
1q2w3e
1234
112233
121212
qwertyuiop
qq18ww899
987654321
12345
zxcvbn
zxcvbnm
999999
samsung
ghbdtn
1q2w3e4r
1111111
123654
159357
131313
qazwsxedc
123qwe
222222
asdfgh
333333
9379992
asdfghjkl
4815162342
12344321
88888888
11111111
knopka
789456
qwertyu
1q2w3e4r5t
iloveyou
vfhbyf
marina
password
qweasdzxc
10203
987654
yfnfif
cjkysirj
nikita
888888
vfrcbv
k.,jdm
qwertyuiop[]
qwe123
qweasd
natasha
123123123
fylhtq
q1w2e3
stalker
1111111111
q1w2e3r4
nastya
147258369
147258
fyfcnfcbz
1234554321
1qaz2wsx
andrey
111222
147852
genius
sergey
7654321
232323
123789
fktrcfylh
spartak
admin
test
azerty
abc123
lol123
easytocrack1
hello
saravn
holysh!t
Test123
tundra_cool2
dragon
thomas
killer
root
1111
pass
master
aaaaaa
monkey
daniel
asdasd
e10adc3949ba59abbe56e057f20f883e
changeme
computer
jessica
letmein
mirage
loulou
superman
shadow
admin123
secret
administrator
sophie
kikugalanetroot
doudou
liverpool
hallo
sunshine
charlie
parola
100827092
michael
andrew
password1
fuckyou
matrix
cjmasterinf
internet
hallo123
eminem
demo
gewinner
pokemon
abcd1234
guest
ngockhoa
martin
sandra
asdf
hejsan
george
qweqwe
lollipop
lovers
q1q1q1
tecktonik
naruto
password12
password123
password1234
password12345
password123456
password1234567
password12345678
password123456789
000000
maximius
123abc
baseball1
football1
soccer
princess
slipknot
11111
nokia
super
star
666999
12341234
1234321
135790
159951
212121
zzzzzz
121314
134679
142536
19921992
753951
7007
1111114
124578
19951995
258456
qwaszx
zaqwsx
55555
77777
54321
qwert
22222
33333
99999
88888
6666
@H@@@@@HP
%s%x
MJ231993jdQ
12gowiey934t

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124