Worm.Win32.Passma [Kaspersky L, W32/Passma.worm.c [McAfee], W32/Passmail-D [Sophos]
Win32/passma.a, W32/Passma.B, W32/Passma.B, W32/PassMail-C
Category: Computer Virus
Active & Spreading
Some parts of Asia, Europe, North and South America, Africa and Australia
01 Apr 2003
W32.Passma was discovered on April 1, 2003. This virus is a password stealing virus that also infects executable or .exe files. This virus is also known as Worm.Win32.Passma, W32/Passma.worm.c and W32/Passmail-D. It mostly affects Windows operating systems.
W32.Passma Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer virus removal tool to automatically clean W32.Passma from your computer.
More details about W32.Passma
W32.Passma does several actions to propagate its infection. First, the virus drops and executes %System%\SERVICEMGR.EXE. It adds the value "System Manager" = "%System%\SERVICEMGR.EXE" to the system registry subkey. Then, the virus creates or modifies a particular system registry subkey. And finally, the virus begins to steal passwords and confidential information. After detecting those sensitive information, the worm sends them through mail to a predetermined email on the indiatimes.com domain. The email contains the subject “Password Mailer From: [COMPUTER_NAME]” and sender’s email as [email protected]
The virus does not only do that. It also finds for .exe executable files to infect. Then, it drops and executes a clean copy of an original file with an .hwd extension once the infected file is executed.
The W32.Passma program takes advantage of exploits to enter a computer without being detected by the user. It may infiltrate a system when the user visits websites that are embedded with illicit codes that are related to this program. It may also be downloaded by other downloader applications that are already installed on the user’s machine. The W32.Passma program waits for an Internet connection to be available. Once a connection has been established, the software connects to a remoter server and downloads several programs and files. These components are stealthily launched on the user’s affected machine. Having these additional components on the computer makes the computer more vulnerable. The user’s PII may be transmitted to third parties.