|
Malware type: Worm
Aliases: Packed.Win32.NSAnti.a (Kaspersky), PWS-QQRob (McAfee), Trojan.Packed.NsAnti (Symantec), TR/Crypt.NSAnti.Gen (Avira), Mal/Emogen-N (Sophos),
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
Encrypted: No
|
|
Description:
QQPASS is an old but still-growing family of spyware, worms, backdoors, Trojans, and even scripts that steal Tencent QQ login information. QQPASS's motives are not as straightforward as that of other Trojan spywares', like TSPY_LINEAGE and TSPY_BANKER. Monetary reward, however, is the likely motive pushing this threat family to stay in the wild for so long and evolve with the changing threat landscape. Read an article that documents QQPASS's behavior and describes how attackers can use stolen information, here: QQ Me... But TC :(. |
This worm propagates by dropping copies of itself in all available removable drives.
Upon execution, it drops a copy of itself as SVOHOST.EXE in the Windows system folder. It also drops its component file, WINSCOK.DLL, in the same folder. The said .DLL file, which is also detected by Trend Micro as WORM_QQPASS.ADH, is injected into running processes and is used to steal information.
It also drops the file AUTORUN.INF to enable its automatic execution.
Furthermore, it terminates several processes found running on the affected system. It may also delete registry data values under certain registry keys.
Once installed, this worm checks for the presence of QQ Instant Messaging Application. If affected systems have the aforementioned application installed, it proceeds to log chat conversations and account information. It sends stolen information to a remote malicious user using its own Simple Mail Transfer Protocol (SMTP) engine.
For additional information about this threat, see:
Solution
Technical Details
Description created: Oct. 13, 2006 1:43:53 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
