W32/PWS-ARA Trojan

 Virus Information - W32/PWS-ARA Trojan:

W32/PWS-ARA is a password stealing trojan. The trojan will infect Windows systems.

The trojan will arrive as a dropped file of another malware or may be downloaded from the Internet.

Upon execution, the trojan drops the following files:

svchost.exe in the Windows folder,
AUHook.dll in the Windows System folder,
magent.exe in the Windows System folder,
mdmi386.exe in the Windows System folder,
mswapi.dll in the Windows System folder,
winio32.sys in the Windows System folder.

The trojan modifies the registry at the following location to load itself during each startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset6

It also modifies the registry at the following locations:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Installer
HKEY_CURRENT_USER\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}
HKEY_CURRENT_USER\CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3a729da-eabc-df50-1842-dfd682644311}

The winio32.sys file is registered as a system driver service with a startup type of automatic.

The files AUHook.dll and mswapi.dll are registered as COM objects.

The mswapi.dll file is registered as a Browser Helper Object (BHO) for Microsoft Internet Explorer.