TSPY_PASSVIEW.BM
a variant of Win32/PSWTool.MailPassView.E application (NOD32)
Windows
Threat Type: Spyware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This spyware may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It does not have any propagation routine.
It does not have any backdoor routine.
It does not have any downloading capability.
TECHNICAL DETAILS
249,952 bytes
EXE
No
14 Oct 2014
Arrival Details
This spyware may arrive bundled with malware packages as a malware component.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Propagation
This spyware does not have any propagation routine.
Backdoor Routine
This spyware does not have any backdoor routine.
Download Routine
This spyware does not have any downloading capability.
Information Theft
This spyware accepts the following parameters:
- /stext → saves gathered information with text file format
- /shtml → saves gathered information with HTML file format with horizontal view
- /sverhtml → saves gathered information with HTML file format with vertical view
- /sxml → saves gathered information with XML file format
- /stab → saves gathered information with tab delimited text file format
- /scomma → saves gathered information with comma delimited text file format
- /stabular → saves gathered information with tabular text file format
- /skeepass → saves gathered information with csv file format
- /savelangfile → save its configuration file as {malware path and filename}_lng.ini
- /deleteregkey → deletes registry key
- /noloadsettings → no settings
- /nosort → not sorted
- /sort → sort via specified data
It gathers the following data:
- Name
- Application
- Server
- Server Port
- Secured
- Type
- User
- Password
- Profile
- Password Strength
- SMTP Server
- SMTP Server Port
It attempts to steal stored email credentials from the following:
- Outlook Express
- IncrediMail
- Eudora
- Group Mail Free
- MS Outlook
- MS Outlook 2002/2003/2007/2010
- Gmail
- Hotmail/MSN
- Yahoo! Mail
- Netscape Mail
- Thunderbird
- Google Desktop
- Windows Mail
- Windows Live Mail
- Outlook 2013
Stolen Information
This spyware saves the stolen information in the following file:
- {specified path and filename} → specified path and filename by the user or attacker through parameter
NOTES:
It attempts to steal stored information used in the following protocols:
- POP3
- IMAP
- HTTP
- SMTP
- NNTP
SOLUTION
9.700
11.210.03
14 Oct 2014
11.211.00
15 Oct 2014
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Search and delete these files
- {malware path and filename}_lng.ini
Step 4
Scan your computer with your Trend Micro product to delete files detected as TSPY_PASSVIEW.BM. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.