My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Doctor Web: new Trojan distributed via YouTube

March 23, 2018

Doctor Web is warning users about the spreading of a dangerous Trojan designed to steal files and other confidential information from infected devices. By using such data leak, cybercriminals can get access to user accounts on social network sites and other online services.

Malicious program dubbed Trojan.PWS.Stealer.23012 is written in Python, and it infects computers running Microsoft Windows OS. Trojan distribution started on March 23, 2018 and continues to this day. Cybercriminals publish links to the malicious program in the comments section of YouTube videos, a popular web resource. A lot of these videos focus on cheating methods in games (so called “cheats”) using special applications. Cybercriminals try to pass the Trojan off as such programs and useful utilities. Links lead to the Yandex.Disk servers. To persuade users to click the link, videos contain comments clearly written by using fake accounts. When clicking the link, victims download a self-unpacking RAR archive containing the Trojan on their computers.

screenshot Trojan.PWS.Stealer.23012 #drweb

An example of the link to a malicious file published in the comments section of the video.

Once launched on an infected computer, it collects the following information:

  • cookies stored by the Vivaldi, Chrome, YandexBrowser, Opera, Kometa, Orbitum, Dragon, Amigo, and Torch browsers;
  • saved logins/passwords from the same browsers;
  • screenshot.

It also copies files with “.txt”, “.pdf”, “.jpg”, “.png”, “.xls”, “.doc”, “.docx”, “.sqlite”, “.db”, “.sqlite3”, “.bak”, “.sql”, “.xml” extensions from Windows Desktop.

Trojan.PWS.Stealer.23012 saves all gathered information in the C:/PG148892HQ8 folder. It then packs all data into the archive, which is sent to the cybercriminal’s server along with the data on an infected device location.

Doctor Web virus analytics found several modifications to the Trojan. Some of them were detected as Trojan.PWS.Stealer.23198. Dr.Web anti-virus products successfully detect all known modifications to this malicious program, so they do not pose any threat to our users.

More about this Trojan

#cookies #malware #screenshot #Trojan

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments