Win32/PSW.QQPass [Threat Name] go to Threat

Win32/PSW.QQPass.JF [Threat Variant Name]

Category trojan
Detection created Jul 29, 2006
Detection database version 1684
Aliases Trojan-PSW.Win32.QQRob.hl (Kaspersky)
  PWS-QQRob (McAfee)
  Hacktool.PWS.QQPass (Symantec)
Short description

Win32/PSW.QQPass.JF is a trojan that steals sensitive information.

Installation

When executed, the trojan copies itself into the %system% folder using the following name:

  • svohost.exe

The following file is dropped in the same folder:

  • winscok.dll

Size of the file is 33280 B .


The trojan creates the following files:

  • %userprofile%\­Desktop\­Internet Explorer.url
  • %system32%\­noruns.reg

The trojan attempts to delete the following file:

  • %system32%\­kakatool.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SoundMam" = "%system32%\­svohost.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = "0"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun" = 0xbd

The following Registry entries are removed:

  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­RavTask
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­KvMonXP
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­YLive.exe
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­yassistse
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­KAVPersonal50
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­NTdhcp
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­Winhoxt
Spreading

The trojan copies itself into the root folders of fixed and/or removable drives using the following name:

  • sxs.exe

The following file is created in the same folders:

  • autorun.inf

Thus, the trojan ensures it is started each time infected media is inserted into the computer.

Information stealing

The trojan collects various information when QQ Instant Messenger is being used.


The trojan can send the information to a remote machine.


The HTTP protocol or e-mail is used.

Other information

2 URLs are opened in Internet Explorer .


2 files are downloaded from the Internet.


These are stored in the following locations:

  • %system32%\­dqhx.txt
  • %system32%\­hie.txt

The following programs are terminated:

  • CCAPP.exe
  • CCenter.exe
  • EGHOST.exe
  • FireTray.exe
  • Iparmor.exe
  • Kav.exe
  • kav32.exe
  • KavPFW.exe
  • KAVPLUS.exe
  • kavstart.exe
  • kavsvc.exe
  • KpopMon.exe
  • KRegEx.exe
  • KVCenter.kxp
  • KVFW.exe
  • KVMonXP.exe
  • KVOL.exe
  • kvolself.exe
  • Kvsrvxp.exe
  • KVSrvXp_1.exe
  • kvwsc.exe
  • KWATCHUI.exe
  • MAILMON.exe
  • MCAGENT.exe
  • MCVSESCN.exe
  • MSKAGENT.exe
  • net.exe
  • net1.exe
  • Nvsvc32.exe
  • PFW.exe
  • RAVMON.exe
  • RavMonD.exe
  • RavService.exe
  • RavTask.exe
  • RAVTIMER.exe
  • regedit.exe
  • RfwMain.exe
  • RRfwMain.exe
  • Rtvscan.exe
  • sc.exe
  • sc1.exe
  • SHSTAT.exe
  • TBMon.exe
  • TrojDie.kxp
  • UpdaterUI.exe
  • VPTray.exe

The following services are disabled:

  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • kavsvc
  • KVSrvXP
  • KVWSC
  • McAfeeFramework
  • McShield
  • McTaskManager
  • MskService
  • NPFMntor
  • RsCCenter
  • RsRavMon
  • SNDSrvc
  • SPBBCSvc
  • srservice
  • Symantec
  • wscsvc

The trojan terminates any program that creates a window containing any of the following strings in its name:

  • qqav
  • TKillqqvir
  • TKqqviru

Please enable Javascript to ensure correct displaying of this content and refresh this page.