Malware type: Trojan

Aliases: Trojan-PSW.Win32.Papras.hp (Kaspersky), Generic Rootkit.d (McAfee), Infostealer (Symantec), W32/Pws.BHYY (exact) (F-Prot), Trojan:Win32/Meredrop (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below:

Malware Overview

This Trojan may be downloaded from remote Web sites by the following malware:

• TROJ_DLOADR.QK

Upon execution, it drops files detected by Trend Micro as TROJ_ROOTKIT.FX and TROJ_INJECT.ZZ.

It creates registry entry to enable its automatic execution at every system startup. It also modifies registry entries.

It logs keystrokes and gathers the data entered by the user in the submission forms of Internet Explorer. It also deletes browser cookies to force users to re-enter sensitive account related information.

It also launches a carnivore sniffer to retrieve passwords from network packets. It searches for certain strings. It uploads the gathered information to several Web sites.

It creates mutex to make sure that only one instance of the malware is running.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 8, 2009 10:30:16 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.