While the actual Bitcoin currency might have its ups and downs, the notion that it is real actual money has by now been firmly implanted in the minds off miscreants everywhere, as shown by the steady increase in the number of detected btc stealer trojan samples:
The Trojan.Dropper.PWS e-threat comes in a packed dropper which contains three different files: npf.sys, wpcap.dll and packet.dll – three legitimate libraries which are part of the WinPcap software that CACE Technologies publishes. These are used to monitor network traffic and to capture FTP credentials (over TCP 21) or e-mails (SMTP , POP3 on TCP 25, 110) should they get sent in the clear.
The e-threat adds itself to the startup key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run using the value: SonyAgent (might vary) and as data the path to the dropped file.
Aside from stealing Bitcoin wallets, the trojan extracts passwords from FTP clients such as Total Commander, WS_FTP, WinFTP, TurboFTP, FTP Surfer, SmartFTP, LeapFTP, UltraFXP, Frigate3 FTP, FTPRush, FTP Explorer, Classic FTP, Core FTP, FFFTP, CuteFTP, SecureFX, FTP Control, SoftX FTP Client, TurboFTP, FlashFXP, BulletProof FTP Client etc.
Moreover, the trojan also steals passwords which are stored by popular browsers and appears to be able to send e-mails as well.
Bitdefender antivirus software is, as usual, capable to detect and remove the threat.