Win32/Howovi - New malware used in phishing?

[warabie25]

Is there any information on a malware named Win32/Howovi?

I believe that a website to which it is related is: www. kiam. com. my/ skinny /document. php

Any information would be helpful...

[David H. Lipman]

There is no information.  You'll have to contact the anti malware vendor who made the declaration. With 100's of thousands of trojans in the wild and scores of new trojans created regularly, sometimes a declaration name only has \meaning to the malware researcher who an analyzed the malware and created the detection.  It is not like some well known families like; Koobface, Zlob, Zbot, Vundo, etc.
 
I don't know how you put phishing with this.  Phishing is the act of obtaining credentials through some Social Engineering ploy and doesn't need a trojan to effect the data obtainment.  If a trojan was involved then the trojan would steal the credentials and would be a data or Password Stealer such as the Fareit trojan.
 
Years ago anti malware companies kept malware encyclopedias where one could research a given piece of malware.  Now they are only maintained for major families.  Another problem is different anti malware vendors may provide different detection names for the same infector.  For example the Lovsan worm was also called the Blaster worm.  That's why I always call it the Lovsan/Blaster worm.
 
Several years ago MITRE was contracted to create a database that could tie different detection names together.  It was called the Common Malware Enumeration ( CME ).  Not only was there an attempt made to tie different detection names to one infector, a detection name suffix could be affixed.  For example the Warezov worm was also called the Stration worm.  Wile there are and were some convention on how a trojan name is assigned, each anti malware vendor may apply these standards differently.  For example the suffix @MM ( or @mm ) which defines that named worm as a Mass Mailer worm.  When MITRE created a database entry it was assigned a CME number such as 416.  Thus a suffix could be assigned as !CME-416.  When that suffix is applied we know it is "that" specific infector. 
 
However, that database was too cumbersome an d the contract ended without renewal and the idea was dropped.
 
Besides applying conventions to a suffix, there are also conventions to the prefix and name.  Even then there are variations.  Take the "Win32/Howovi" which you make a query about ( but fail to provide the name of the anti malware vendor who made that declaration ) .  The prefix is "Win32/" that tells us the malware is a 32bit coded malware executable.  But a a different vendor may instead use W32/ or W32.  where the "/" and "." are delimiters.
 
Let's look at a live sample. 

felipeeanne posted MalBR

MalBR is felipeeanne's personal convention of 1 malware sample from Brazil. 

In that submission he posted a Virus Total Report URL ( Report URLs are required to accompany a malware submission )

https://www.virustotal.com/en/file/31b9502841bef93a55967d1134b920ee273dd795b113468b2f57500ed16a8990/analysis/1451405481/

 

We have two different detections that are notable "Trojan/Win32.Downloader" ( AhnLab-V3 ) and "Trojan.Win32.Banload.WTV" ( Baidu )

 

Right there you can see how two different vendors have defined the same infector "differently" while applying industry conventions differently.

 

One is "Trojan/Win32" and the other "Trojan.Win32" both are indicators of a 32bit trojan but the delimiter is applied differently.  Then on calls the trojan a "downloader" but the other indicates it is a Banload and appends .WTY.  Both are correct.  a Banload trojan is a Banker/Bancos Downloader.  Baidu goes further and specifically states it is the .WTV variant of a Banload trojan.

 

 

What I have tried to instill upon you is that malware detection names can lead one towards the functionality of a given infector but due toi the preponderance of so many different trojans that one can not get too much information from a name like "Win32/Howovi" unless it is a well known family.

 

 

HTH ( and doesn't confuse you )

[pondus]

SoftwareBundler: Win32/Howovi

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=SoftwareBundler:Win32/Howovi

[David H. Lipman]

Thanx pondus.
 
If the prefix is "SoftwareBundler" then it is a PUP declaration and not even malware.

[warabie25]

David, pondus,

 

Thank you for your assistance and advice.  I am still concerned that my computer may be infected.

Here is what happened yesterday:

I received this email from a colleague that I know and trust.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You have a pending incoming docs shared with you via Google docs

 

Click to open ATTACHMENT

 

Google Docs makes it easy to create, store and share online documents, spreadsheets and presentations

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

I clicked on the link "ATTACHMENT".  That directed me to this URL: www_kiam_com_my/ skinny /document_php (spaces inserted for safety).

Without thinking clearly about the unusual URL, I filled in my email address, password and phone number.  I was then directed to my Google Drive account but found no document from my colleague.  Realizing then that I may have compromised my account, I sent an email to my colleague.  "He" replied that he had sent it.  I replied to "him" that I was not able to access the document.  I then called him and he informed me that he was not sending those emails and that someone had hijacked his account.

 

I immediately ran both protection software that I have installed on my computer, Malwarebytes and Microsoft Security Essentials (MSE).  The MSE found the Win32_Howovi and I went through the procedure to remove it.  I then went to another computer and reset the password that I had entered; and then reset my Google Authentication for all other computers.

 

It may be a coincidence that the Howovi was installed on my computer with no relation to the phishing webpage that I had visited, but I need to be sure before accessing other sensitive accounts from my computer.  That is why I am cross-referencing with the Malwarebytes DB for information on Win32_Howovi.  According to the info from MSE, Win32_Howovi was first published yesterday.

 

Any information that you can provide, or if you could direct me to someone who could help, would be greatly appreciated.

 

Thank you in advance,

Wilson

[David H. Lipman]

If you are worried about being infected then please proceed to the Malware Removal Help sub-forum and request assistance.  It is the only area where Malware Removal Assistance is provided.