Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Trojan.PWS.OSMP.21 infects payment terminals

March 25, 2014

Home users aren’t the only ones being targeted by today’s threats—various financial organisations are receiving their own share of attention from criminals who are crafting malicious applications for ATMs and payment terminals. Doctor Web has issued a warning regarding one such Trojan, namely, Trojan.PWS.OSMP.21. This malware is infecting the terminals of a major Russian payment system.

Trojan.PWS.OSMP.21 is implemented as a dynamic link library which is delivered onto terminals via infected flash drives. A dropper program responsible for copying the dll file has also been discovered. Once the payment terminal has been compromised, the Trojan library is copied into the Application Data folder as win.sxs. Then one of its routines is used to modify the Windows Registry for the dll file to auto load at system start-up. The added registry entry name is Taskbar.

screenshot

Next, another malignant routine searches for the process involved in payment processing. If it does not find this process, it initiates another routine that infects flash drives. If the targeted process is active, Trojan.PWS.OSMP.21 tries to retrieve the config.dat file and the logs from the folder containing the corresponding executable file, and gathers information about the hard disk. Subsequently, all the data is transmitted in an encrypted format to the attacker's server. If the data transfer is successful, the Trojan will delete itself.

Trojan.PWS.OSMP.21’s signature was added to the Dr.Web virus database on February 14. Doctor Web's anti-virus programs successfully detect and remove this malware.

Protect your embedded devices with Dr.Web ATM Shield.

Демо О продукте

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040