Win32/Passma.G a file-infecting virus attempts to steal sensitive information, such as passwords.

When a system is initially infected, Passma.G copies itself to %System%\BIETIANMGR.EXE. This is a copy of the virus without a host file.

The virus also creates the following registry entry in order to run itself at each system start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bietian Manager = "%System%\BIETIANMGR.EXE"

Note: %System% is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; for XP and Vista is C:\Windows\System32.

Passma.G can be seen in running processes as "BIETIANMGR.EXE". If this file is deleted, any of the infected files copy the virus back to the %System% directory.

More information can be found at this Computer Associates page.