It is interesting to see how the password stealing trojan (commonly called PWS) writers think… Over the last few months I’ve been writing about PWS Bankers, since they are one of the most common kinds of malware that targets Brazil, and since I can read Portuguese, I saw lots of improvements in those malwares, including…. multiple redundancies! Today I got something different. On the email that it sends to the malware author to say “Hello World, I am on machine-XYZ”, now it also includes data about browsing activity and even the bookmarks of the user, including the browser used and start page…, interesting huh?

Below is an example of the information sent by the malware:

Browser………….: C:\Program Files\Internet Explorer\iexplore.exe
Win Dir………….: C:\WINDOWS
Internet Protocol…: xxx.xxx.xxx.xxx
Start Page……….: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Date…………….: 1/8/2007
Time…………….: 6:58:03 AM
O.S. …………..: Microsoft Windows XP (version 5.1)
Bookmarks

*************************************************************
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=IStart
http://www.microsoft.com/isapi/redir.dll?(edited for length)sba=RadioBar&o1=&o2=&o3
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=CLinks
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windowsmedia
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windows
*************************************************************

Yes…he owns your computer and also knows where you surf!