Follow:

 

PWS:Win32/QQpass.CI


PWS:Win32/QQPass.CI is a generic detection for a trojan that steals user logon credentials for "QQ", a popular Chinese instant messaging application. The trojan sends captured data to a remote attacker via email.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

PWS:Win32/QQPass.CI is a generic detection for a trojan that steals user logon credentials for "QQ", a popular Chinese instant messaging application. The trojan sends captured data to a remote attacker via email.

Installation

Upon execution, PWS:Win32/QQPass.CI copies itself as the following file:

  • %ProgramFiles%\windows media player\9\7\4\1\c\d\9\a\0\4\b\a\9\e\4\9\7\6\c\9\1\3\7\0\5\7\5\e\1\1\5\a\autorun.inf\svchost.exe¡¡

In the above file name, the file extension suffix "¡¡" is the first Chinese character in Chinese GB standard, with a value of "\xa1\xa1". The registry is modified to run the trojan at each Windows start.

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
To data: "%windir%\System32\userinit.exe, "%ProgramFiles%\windows media player\9\7\4\1\c\d\9\a\0\4\b\a\9\e\4\9\7\6\c\9\1\3\7\0\5\7\5\e\1\1\5\a\autorun.inf\svchost.exe¡¡""

Payload

Steals user information
PWS:Win32/QQPass.CI attempts to terminate the process "QQ.exe" to log the user out of the application. The trojan sets a timer to enumerate application windows persistently. When "QQ" is launched, the trojan captures user-entered logon details and sends the data to a remote user via email.

Prevents access to folder
The trojan prevents user access to the directory "%ProgramFiles%\windows media player\9"

Analysis by Jim Wang


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:
    %ProgramFiles%\windows media player\9\7\4\1\c\d\9\a\0\4\b\a\9\e\4\9\7\6\c\9\1\3\7\0\5\7\5\e\1\1\5\a\autorun.inf\svchost.exe¡¡

Prevention


Alert level: Severe
First detected by definition: 1.77.18.0
Latest detected by definition: 1.203.984.0 and higher
First detected on: Feb 25, 2010
This entry was first published on: Feb 25, 2010
This entry was updated on: Jun 20, 2011

This threat is also detected as:
  • W32/FlyStudio.A.gen!Eldorado (Command)
  • TR/Crypt.CFI.Gen (Avira)
  • Trojan.PWS.Qqpass.4225 (Dr.Web)
  • Win32/FlyStudio.Q (ESET)
  • Trojan-PSW.Win32.Flystudio.y (Kaspersky)
  • BackDoor-DRV.gen.c (McAfee)