Aliases: Worm.Win32.Passma [Kaspersky L, W32/Passma.worm.c [McAfee], W32/Passmail-D [Sophos]
Variants: Win32/passma.a, W32/Passma.B, W32/Passma.B, W32/PassMail-C

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 01 Apr 2003
Damage: Low

Characteristics: W32.Passma was discovered on April 1, 2003. This virus is a password stealing virus that also infects executable or .exe files. This virus is also known as Worm.Win32.Passma, W32/Passma.worm.c and W32/Passmail-D. It mostly affects Windows operating systems.

More details about W32.Passma

W32.Passma does several actions to propagate its infection. First, the virus drops and executes %System%\SERVICEMGR.EXE. It adds the value "System Manager" = "%System%\SERVICEMGR.EXE" to the system registry subkey. Then, the virus creates or modifies a particular system registry subkey. And finally, the virus begins to steal passwords and confidential information. After detecting those sensitive information, the worm sends them through mail to a predetermined email on the indiatimes.com domain. The email contains the subject “Password Mailer From: [COMPUTER_NAME]” and sender’s email as [email protected] The virus does not only do that. It also finds for .exe executable files to infect. Then, it drops and executes a clean copy of an original file with an .hwd extension once the infected file is executed.

The W32.Passma program takes advantage of exploits to enter a computer without being detected by the user. It may infiltrate a system when the user visits websites that are embedded with illicit codes that are related to this program. It may also be downloaded by other downloader applications that are already installed on the user’s machine. The W32.Passma program waits for an Internet connection to be available. Once a connection has been established, the software connects to a remoter server and downloads several programs and files. These components are stealthily launched on the user’s affected machine. Having these additional components on the computer makes the computer more vulnerable. The user’s PII may be transmitted to third parties.