Microsoft security software detects and removes this threat. 

This malware family can give a malicious hacker access and control of your PC. Threats in this family can also try to steal your online banking details.

They spread via Facebook, Youtube, Skype, removable drives, and drive-by malware. When they spread via Facebook, they can posts on your wall. The post might look like this:

Find out ways that malware can get on your PC.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


Win32/Caphaw often uses a legitimate file name to avoid suspicion. It scans the <system folder> folder for legitimate file names, then copies itself into the %APPDATA% folder using the same name. For example, the file name for Task Manager is <system folder>\taskmgr.exe. Caphaw might copy itself into your PC as %APPDATA%\taskmgr.exe.

Caphaw can also use these file names:

  • <system folder> \lssas.exe - note that a legitimate file called lsass.exe exists in the same folder
  • %windir% \assembly\nativeimages_v2.0.50727_32\temp\zapf.tmp\
  • %windir% \svchost.exe - note that a legitimate file with the same name exists in <system folder>

Caphaw injects itself into legitimate processes like the following to make it more difficult to remove:

  • cmd.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • reader_sl.exe
  • svchost.exe

Caphaw creates mutexes to make sure that only one instance of itself is running in memory.

To run every time Windows starts, some variants of Caphaw create an entry in the system registry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random CLSID>" (for example, {FAD5ADC3-DABB-6BFF-ED11-CB329C7D70E2})
With data: "<malware path and file name>" (for example "%APPDATA%\Microsoft\Excel\xlstart\winmine.exe")

Older variants of Caphaw also install a rootkit component. An infected master boot record (MBR) is detected as Trojan:DOS/Caphaw.A.

Spreads via...


One Caphaw variant, Win32/Caphaw.N, can do a number of actions on Skype, including:

  • Disabling audio alerts
  • Downloading files from a remote server
  • Sending messages and files to your contacts; this file is usually another Caphaw copy
  • Removing traces of its actions on Skype, like file transfers and recent conversations


Caphaw can spread by hijacking your Facebook account and posting a copy of itself into your friends' walls. The post might look like this:

Shared and removable drives

Caphaw can spread to other PCs via shared and removable drives. It creates shortcut files that link to a hidden Caphaw copy in the root folder of the shared or removable drive. If you click on the shortcut file, the Caphaw copy runs.

Drive-by malware

Caphaw can be installed via drive-by exploits. It's been known to be installed using vulnerabilities in Adobe Flash or Java.


Lets a malicious hacker control your PC

Caphaw lets a malicious hacker access and control your PC. The actions we've observed include:

  • Control your desktop
  • Control your mouse and keyboard
  • Access your files and folders
  • Upload your files to a hacker-controlled FTP server
  • Delete files
  • Download and run other files
  • Redirect Internet traffic via a proxy server
  • Send ICMP packets that can be used in distributed denial-of-service (DDoS) attacks
  • Log and redirect web traffic from Firefox and Internet Explorer
  • Shut down or restart your PC
  • Spread to other PCs upon command
  • Log keystrokes
  • Change your PC settings
  • Start or stop programs
  • Update itself

Steals banking information

Caphaw can inject code and fake phone numbers into online banking websites when you visit them. It does this to try and steal your login information for these websites. It targets the online banking websites for these institutions:

  • Barclays
  • Bank of Scotland
  • Co-Operative Bank
  • Egg.Com
  • Fidelity
  • First Direct
  • HSBC
  • InterActive Brokers
  • John Lewis Financial
  • Leicester
  • Lloyds Bank
  • MBNA
  • NatWest
  • POFS Save Credit
  • RBS
  • Santander
  • Tesco Finance
  • Theaa
  • Ulster Bank
  • VirginMoney
  • YorkShire Bank

Analysis by Edgardo Diaz and Jody Koo


The following could indicate that you have this threat on your PC:

  • You get reports about Facebook posts, like the one below, that you don't remember making:


Alert level: Severe
This entry was first published on: Jun 05, 2014
This entry was updated on: Aug 21, 2014

This threat is also detected as:
No known aliases