Full description

Virus:	TR/NSAnti.B.7
Date discovered:	29/07/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	42.102 Bytes
MD5 checksum:	caf96db786db731ed89d4ec7a7596ea5
VDF version:	6.35.01.20
IVDF version:	6.35.01.20

General    • Symantec: Trojan.PWS.QQPass
   • TrendMicro: TSPY_QQPASS.QM
   • Bitdefender: Trojan.NSAnti.B

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows ME

Side effects:
   • Drops a file
   • Drops a malicious file
   • Records keystrokes
   • Registry modification
   • Steals information

Files It copies itself to the following location:
   • %PROGRAM FILES%\Internet Explorer\PLUGINS\system.jmp

It deletes the following files:
   • %WINDIR%\DESKTOP\WODEXIAOSHIHOUCHAONAORENXINGDESHIHOU
   • %WINDIR%\DESKTOP\WAIOZONGSHICHANGGEHONGWONAHSOUGEHAOXIANGZHEYANGCHANGDEWODEGUXIANGZAIYUANFANG
   • %WINDIR%\DESKTOP\TIANHEIHEITIOOTIANTIANDOUYAONIAIWODEXINSIYOUNICAIBUYAOWENWOCONGNALILAI
   • %WINDIR%\DESKTOP\NPKCRYPT.SYS

The following file is created:

– %PROGRAM FILES%\Internet Explorer\PLUGINS\system.sys Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.QQRob.GD

Registry – HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\
   ShellExecuteHooks
   • "{C9953583-932E-4EA1-A04B-4523AAB72C30}"=""

The following registry key is added:

– HKCR\CLSID\{C9953583-932E-4EA1-A04B-4523AAB72C30}\InProcServer32
   • "Default"="%PROGRAM FILES%\Internet Explorer\PLUGINS\system.sys"
   • "ThreadingModel"="Apartment"

Backdoor Sends information about:
• Cached passwords

Injection – It injects the following file into a process: %PROGRAM FILES%\Internet Explorer\PLUGINS\system.sys

– It injects itself as a thread into a process.

Process name:
• %all running processes%

File details Programming language:
The malware program was written in Delphi.

Description inserted by Bogdan Iliuta on Wednesday, August 9, 2006
Description updated by Andrei Ivanes on Monday, August 14, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools