Full description

Virus:	TR/NSAnti.B.7
Date discovered:	29/07/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	42.102 Bytes
MD5 checksum:	caf96db786db731ed89d4ec7a7596ea5
VDF version:	6.35.01.20
IVDF version:	6.35.01.20

General    • Symantec: Trojan.PWS.QQPass
   • TrendMicro: TSPY_QQPASS.QM
   • Bitdefender: Trojan.NSAnti.B

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows ME

Side effects:
   • Drops a file
   • Drops a malicious file
   • Records keystrokes
   • Registry modification
   • Steals information

Files It copies itself to the following location:
   • %PROGRAM FILES%\Internet Explorer\PLUGINS\system.jmp

It deletes the following files:
   • %WINDIR%\DESKTOP\WODEXIAOSHIHOUCHAONAORENXINGDESHIHOU
   • %WINDIR%\DESKTOP\WAIOZONGSHICHANGGEHONGWONAHSOUGEHAOXIANGZHEYANGCHANGDEWODEGUXIANGZAIYUANFANG
   • %WINDIR%\DESKTOP\TIANHEIHEITIOOTIANTIANDOUYAONIAIWODEXINSIYOUNICAIBUYAOWENWOCONGNALILAI
   • %WINDIR%\DESKTOP\NPKCRYPT.SYS

The following file is created:

– %PROGRAM FILES%\Internet Explorer\PLUGINS\system.sys Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.QQRob.GD

Registry – HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\
   ShellExecuteHooks
   • "{C9953583-932E-4EA1-A04B-4523AAB72C30}"=""

The following registry key is added:

– HKCR\CLSID\{C9953583-932E-4EA1-A04B-4523AAB72C30}\InProcServer32
   • "Default"="%PROGRAM FILES%\Internet Explorer\PLUGINS\system.sys"
   • "ThreadingModel"="Apartment"

Backdoor Sends information about:
• Cached passwords

Injection – It injects the following file into a process: %PROGRAM FILES%\Internet Explorer\PLUGINS\system.sys

– It injects itself as a thread into a process.

Process name:
• %all running processes%

File details Programming language:
The malware program was written in Delphi.

Description inserted by Bogdan Iliuta on Wednesday, August 9, 2006
Description updated by Andrei Ivanes on Monday, August 14, 2006

Back . . . .