SecurityHome.eu Trojan-PSW:W32/QQPass.QR

Home / malware PDF

Trojan-PSW:W32/QQPass.QR

First posted on 13 June 2007.
Source: SecurityHome
Aliases :
There are no other names known for Trojan-PSW:W32/QQPass.QR.
Explanation :
QQPass.QR steals QQ Messenger passwords.

Upon execution, this malware drops the following files:

%programfiles%Internet ExplorerPLUGINSsystem2.jmp
- Detected as Trojan-PSW.Win32.QQPass.qr
%programfiles%Internet ExplorerPLUGINSSystem64.sys
- Detected as Trojan-PSW.Win32.QQPass.qr

It creates and modifies the following Registry keys for its autostart mechanism:

Sets these values

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks
{754FB7D8-B8FE-4810-B363-A788CD060F1F} =

Creates these keys

HKLMSoftwareClassesCLSID{754FB7D8-B8FE-4810-B363-A788CD060F1F}
HKLMSoftwareClassesCLSID{754FB7D8-B8FE-4810-B363-A788CD060F1F}InProcServer32

It inject itself to Internet Explorer so that whenever IE starts, the malware is executed as well.

Like any other QQPass trojan, this malware steals QQ Messenger passwords.

Last update 13 June 2007

TOP

Trojan-PSW:W32/QQPass.QR

Aliases :

Explanation :

Malware :

Family: