Threat behavior
Win32/Captiya is a trojan that tries to decode CAPTCHA. CAPTCHA is an acronym for 'Completely Automated Public Turing test to tell Computers and Humans Apart', which is usually used for creating new e-mail accounts. Decoded CAPTCHAs can be used to automatically register e-mail accounts. The automatic mass creation of e-mail accounts can be used for spamming or other malicious activities.
Installation
Win32/Captiya has been observed in the wild being distributed with some variants of Spammer:Win32/Newacc.A. This is an attacker tool that automatically registers new e-mail accounts on Hotmail, AOL, Gmail, Lycos and other account service providers.
Payload
Decodes CAPTCHAs
This trojan tries to decode captcha by comparing characters in the image to different fonts. Among the fonts used are the following:
Aldine32
Arial
Courier
Decker
Helevetica
Additional Information
The trojan may be used in conjunction with other malware that can automatically create new e-mail accounts (such as Spammer:Win32/Newacc.A) - the newly created accounts can then be used for spamming or other nefarious activities.
Analysis by Elda Dimakiling
Prevention