Win32/Captchar [Threat Name] go to Threat

Win32/Captchar.A [Threat Variant Name]

Category trojan
Size 215552 B
Aliases Trojan.Win32.Agent.brb (Kaspersky)
  Trojan.Captchar.A (Symantec)
  Captchar (McAfee)
Short description

Win32/Captchar.A is a trojan , which tries to get the user to rewrite texts from Captcha images. The file is run-time compressed using UPX .

Installation

The trojan must be manually installed.


The trojan does not create any copies of itself.


The trojan creates and runs a new thread with its own program code within the following processes:

  • iexplore.exe

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­SGPlay]
Other information

The trojan contains a list of (1) IP addresses.


It tries to download Captcha images and erotic images from a remote computer.


The HTTP protocol is used.


Captcha is a means of distinguishing a robot from a human using text hidden in an image. It is used in prevention of automated form submittion.


The program tries to get the user to rewrite text from the Captcha image into a text input field.


The trojan can send the information to a remote machine.


Afterwards, the user is rewarded with an erotic image.


It contains the following strings:

  • Hi!
  • My name is
  • . I'm 18 years old and you have come to the
  • right place to play :)
  • Wait for new word, please, sweetie ;)
  • How to play?
  • Easy, enter the code that you will see and I'm taking off
  • 1 of my things. :) Want to start strip me? Then what are you
  • waiting for? Click the start play.
  • Ok, lets start baby! Lets see if you can strip me :).
  • Put the word that you see on bottom, if its correct I'll
  • take off 1 of my xxx :)
  • Please, wait...
  • You need to enter word from image if you want to see me naked ;)
  • Hmmm, nope, the word you entered is incorrect honey! Lets try again?
  • Outch, nice one, you got it right! ok, ready for next one? Here it is

Some examples follow.


Example [1.] :

Example [2.] :

Please enable Javascript to ensure correct displaying of this content and refresh this page.