Win32/Captiya

Win32/Captiya is a trojan that tries to decode CAPTCHA. CAPTCHA is an acronym for 'Completely Automated Public Turing test to tell Computers and Humans Apart', which is usually used for creating new e-mail accounts. Decoded CAPTCHAs can be used to automatically register e-mail accounts. The automatic mass creation of e-mail accounts can be used for spamming or other malicious activities.

Win32/Captiya has been observed in the wild being distributed with some variants of Spammer:Win32/Newacc.A. This is an attacker tool that automatically registers new e-mail accounts on Hotmail, AOL, Gmail, Lycos and other account service providers.

 

This trojan tries to decode captcha by comparing characters in the image to different fonts. Among the fonts used are the following:

 

Aldine32
Arial
Courier
Decker
Helevetica

The trojan may be used in conjunction with other malware that can automatically create new e-mail accounts (such as Spammer:Win32/Newacc.A) - the newly created accounts can then be used for spamming or other nefarious activities.