Virus:TR/PSW.QQSniff
Date discovered:14/02/2007
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:663.552 Bytes
MD5 checksum:942f3e57afa5bbc09649fb79db8585d7
VDF version:6.37.01.91
IVDF version:6.37.01.92 - Wednesday, February 14, 2007

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Steals information

 Files The following file is created:

– Non malicious file:
   • %system drive root%\qqpass.txt

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "testwk1"="%malware execution directory%\%malware filename%"



The following registry keys are added:

– [HKCR\CLSID\{A5CA0D8F-FC23-B555-3B71-40973B714097}\InprocServer32]
   • "(Default)"="ole32.dll"

– [HKCR\CLSID\{A5CA0D8F-FC23-B555-3B71-40973B714097}]
   • "(Default)"="PointerMoniker"

– [HKLM\Software\Licenses]
   • "{0641C1F5CF28E8696}"=%hex values%
   • "{I641C1F5CF28E8696}"=%hex values%
   • "{K7C0DB872A3F777C0}"=%hex values%
   • "{R7C0DB872A3F777C0}"=%hex values%

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Armadillo

Description inserted by Gabriel Mustata on Wednesday, February 14, 2007
Description updated by Andrei Ivanes on Wednesday, February 28, 2007

Back . . . .